CVE-2025-9985
📋 TL;DR
The Featured Image from URL WordPress plugin exposes sensitive information through publicly accessible log files in versions up to 5.2.7. Unauthenticated attackers can read these logs, potentially revealing sensitive data about the WordPress installation. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Featured Image from URL WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials, database connection strings, or other sensitive configuration data leading to complete site compromise.
Likely Case
Attackers gather information about site structure, user data, or plugin configurations that could facilitate further attacks.
If Mitigated
Limited exposure of non-critical debugging information with no sensitive data in logs.
🎯 Exploit Status
Exploitation requires only web access to the log file location, no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.8 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Featured Image from URL'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.2.8+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Restrict log file access
ApacheAdd .htaccess rules to block public access to plugin log files
# Add to .htaccess in WordPress root
<Files "log.php">
Order Allow,Deny
Deny from all
</Files>
Disable plugin logging
allModify plugin configuration to disable logging functionality
# Add to wp-config.php
define('FIFU_DISABLE_LOGGING', true);
🧯 If You Can't Patch
- Disable the Featured Image from URL plugin completely
- Implement web application firewall rules to block access to /wp-content/plugins/featured-image-from-url/admin/log.php
🔍 How to Verify
Check if Vulnerable:
Check if /wp-content/plugins/featured-image-from-url/admin/log.php is publicly accessible via browser or curlCheck Version:
Check WordPress admin plugins page or examine /wp-content/plugins/featured-image-from-url/readme.txt version lineVerify Fix Applied:
Verify plugin version is 5.2.8+ and log.php returns 403/404 error when accessed publicly📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to /wp-content/plugins/featured-image-from-url/admin/log.php
- Unusual access patterns to plugin admin files
Network Indicators:
- HTTP GET requests to plugin log.php from external IPs
- Traffic spikes to plugin directory
SIEM Query:
source="web_access_logs" AND uri="/wp-content/plugins/featured-image-from-url/admin/log.php" AND response="200"🔗 References
- https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/admin/log.php?rev=3344903
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362830%40featured-image-from-url&new=3362830%40featured-image-from-url&sfp_email=&sfph_mail=#file6
- https://www.wordfence.com/threat-intel/vulnerabilities/id/991d63da-ca6c-400e-beb7-b44cf629abc9?source=cve
