The Featured Image from URL (FIFU) plugin for WordPress, developed by marceljm, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2025-13393. This vulnerability exists in all versions up to and including 5.3.1 due to inadequate validation of URLs provided by users before these URLs are passed to the PHP getimagesize() function within the Elementor widget integration. The getimagesize() function fetches image metadata from a URL, and if the URL is attacker-controlled and not properly sanitized, it can be used to make arbitrary HTTP requests from the server hosting the WordPress site. Exploitation requires the attacker to have authenticated access with at least Contributor-level permissions and the ability to use Elementor, which is a popular page builder plugin. By exploiting the vulnerability through the fifu_input_url parameter, attackers can cause the server to send requests to internal or external systems, potentially accessing internal services that are otherwise inaccessible externally. This can lead to information disclosure or internal network reconnaissance. However, the vulnerability does not directly allow modification of data or denial of service. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The CVSS 3.1 base score is 4.3, indicating a medium severity primarily due to the ease of exploitation with low privileges but limited impact on confidentiality and no impact on integrity or availability.

The primary impact of CVE-2025-13393 is the potential for attackers with Contributor-level access to perform SSRF attacks, which can be leveraged to probe internal network resources that are not directly accessible from the internet. This can lead to unauthorized information disclosure, such as accessing internal APIs, metadata services, or other sensitive internal endpoints. While the vulnerability does not allow direct data modification or service disruption, the reconnaissance enabled by SSRF can be a stepping stone for more advanced attacks, including lateral movement or privilege escalation within the network. Organizations running WordPress sites with the FIFU plugin and Elementor integration are at risk, especially if they allow Contributor-level users or untrusted users to upload or modify content. The medium severity score reflects the limited scope of impact but acknowledges the risk posed by internal network exposure. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future. This vulnerability is particularly concerning for organizations with sensitive internal services behind firewalls that rely on obscurity for protection.

1. Immediately restrict Contributor-level and higher user permissions to trusted users only, minimizing the risk of exploitation by untrusted or compromised accounts. 2. Disable or restrict the use of the Elementor widget integration that utilizes the FIFU plugin until a patch is available. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests containing the fifu_input_url parameter or unusual URL patterns indicative of SSRF attempts. 4. Monitor server logs for unusual outbound HTTP requests originating from the WordPress server, especially those targeting internal IP ranges or unexpected domains. 5. Network segmentation should be enforced to limit the WordPress server's ability to access sensitive internal services that do not require direct communication. 6. Regularly update the FIFU plugin and Elementor plugin once patches addressing this vulnerability are released. 7. Consider disabling the getimagesize() function or restricting its usage via PHP configuration or plugin code modifications if feasible as a temporary workaround. 8. Conduct security awareness training for site administrators and content contributors regarding the risks of SSRF and the importance of limiting plugin usage and permissions.