CVE-2025-7400 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Featured Image from URL (FIFU) WordPress plugin developed by marceljm. The flaw exists in all versions up to and including 5.2.7 due to improper neutralization of input during web page generation, specifically in the handling of the Featured Image custom fields for posts. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into these fields because the plugin fails to sufficiently sanitize input and escape output before rendering it on pages. When other users visit the affected pages, the malicious scripts execute in their browsers, potentially allowing attackers to hijack sessions, steal cookies, perform actions on behalf of users, or deface content. The vulnerability was partially addressed in version 5.2.2 but remains exploitable in subsequent versions up to 5.2.7. The CVSS 3.1 base score is 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing Contributor-level users to submit content. The plugin’s widespread use in WordPress ecosystems makes this a relevant threat for many websites.

The primary impact of CVE-2025-7400 is the potential for attackers with Contributor-level access to inject persistent malicious scripts into WordPress sites using the FIFU plugin. This can lead to session hijacking, theft of sensitive user data such as cookies or credentials, unauthorized actions performed on behalf of users, and site defacement. The confidentiality and integrity of user data and site content are at risk, although availability is not directly affected. Since the vulnerability requires authenticated access, the risk is somewhat limited to sites that allow user-generated content from contributors or higher roles. However, many WordPress sites permit such roles, increasing the attack surface. Exploitation could facilitate further attacks such as privilege escalation or lateral movement within the site environment. Organizations relying on this plugin may face reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The medium CVSS score reflects these moderate but meaningful risks.

To mitigate CVE-2025-7400, organizations should immediately update the Featured Image from URL (FIFU) plugin to a version beyond 5.2.7 once a fixed release is available, as no patch links are currently provided. Until then, consider disabling or removing the plugin if feasible. Restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious input. Implement additional input validation and output encoding at the application or web server level to neutralize scripts in custom fields. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns to detect and block exploit attempts. Monitor logs for unusual activity related to featured image fields and user-generated content. Educate site administrators and users about the risks of XSS and safe content practices. Regularly audit plugins for vulnerabilities and maintain an up-to-date inventory to respond promptly to emerging threats.