Featured Image from URL Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url – CVE-2024-1496 | WordPress Plugin Vulnerability Report

Plugin Name: Featured Image from URL

Key Information:

  • Software Type: Plugin
  • Software Slug: featured-image-from-url
  • Software Status: Active
  • Software Author: marceljm
  • Software Downloads: 4,896,915
  • Active Installs: 100,000
  • Last Updated: February 19, 2024
  • Patched Versions: 4.6.3
  • Affected Versions: <= 4.6.2

Vulnerability Details:

  • Name: Featured Image from URL (FIFU) <= 4.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url
  • Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • CVE: CVE-2024-1496
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: February 19, 2024
  • Researcher: Nikolas - mdr
  • Description: The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fifu_input_url parameter in all versions up to, and including, 4.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The Featured Image from URL for WordPress has a vulnerability in versions up to and including 4.6.2 that allows authenticated users with contributor access or higher to inject arbitrary web scripts via the fifu_input_url parameter. This vulnerability has been patched in version 4.6.3.

Detailed Overview:

Nikolas of mdr publicly disclosed on February 19, 2024 that the Featured Image from URL (FIFU) plugin contains an improper neutralization of script-related HTML tags vulnerability. This affects all versions up to and including 4.6.2. The vulnerability is due to insufficient sanitization of the fifu_input_url parameter, allowing authenticated users with contributor access or higher to store cross-site scripts that will execute when pages are loaded. This could enable posting of arbitrary JavaScript or stealing admin authentication cookies. The developer has released FIFU version 4.6.3 to address this vulnerability and users are advised to update immediately.

Advice for Users:

  1. Immediate Action: Upgrade to FIFU version 4.6.3 as soon as possible.
  2. Check for Signs of Vulnerability: Review posts and pages edited by Contributors and Authors for unauthorized scripts.
  3. Alternate Plugins: Consider alternate featured image plugins like Add From Server or Enable Media Replace while assessing this vulnerability.
  4. Stay Updated: Always keep FIFU and other plugins updated to avoid potential vulnerabilities.


The prompt patch from FIFU developers shows the importance of rapid response to disclosed vulnerabilities. Users should upgrade to version 4.6.3 quickly to close this cross-site scripting threat that could lead to cookie theft or JavaScript injection by authenticated users.




Detailed Report:

Keeping your WordPress website up-to-date is critical for security, as outdated plugins and themes can expose you to vulnerabilities capable of bringing down entire sites. Unfortunately, a popular WordPress plugin called Featured Image from URL (FIFU) has a newly disclosed vulnerability that allows authenticated users to inject malicious JavaScript onto pages. This cross-site scripting attack impacts 100,000+ active sites using versions of FIFU up to and including 4.6.2. Without the proper patch, attackers could leverage this to steal admin login cookies, extract sensitive site data, or insert unwanted content.

As a highly popular plugin with over 4 million downloads, Featured Image from URL allows WordPress site owners to easily set featured images using external URLs. However, researcher Nikolas of mdr recently discovered a vulnerability that impacts all FIFU versions up to 4.6.2 that could have serious consequences. By exploiting improper input sanitization in the fifu_input_url parameter, an attacker with just contributor access could store cross-site scripts that activate when pages load. This means the vulnerability provides an avenue for posting unwanted JavaScript, extracting sensitive site data, or even stealing admin login session cookies.

With a CVSS severity score of 6.4 (Medium), website owners using vulnerable FIFU versions should immediately update to version 4.6.3 which contains the patch. Developers have helpfully provided instructions for upgrading the plugin from within the WordPress dashboard to close this authenticated stored cross-site scripting threat. In the meantime, users should check their sites for unauthorized scripts that may have already been injected by attackers that found this vector. Previous FIFU vulnerabilities over the past few years also underscore the importance of prompt upgrades to safe versions.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

Featured Image from URL Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url – CVE-2024-1496 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment