CVE-2025-7400 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Featured Image from URL (FIFU) WordPress plugin, versions up to and including 5.2.7. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of Featured Image custom fields associated with posts. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into these fields due to insufficient input sanitization and lack of proper output escaping. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability was partially addressed in version 5.2.2 but remains exploitable in subsequent versions up to 5.2.7, indicating incomplete remediation. The CVSS 3.1 base score of 6.4 reflects a medium severity level, with network attack vector, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change affecting confidentiality and integrity but not availability. No public exploits have been reported to date. The vulnerability affects all versions of the plugin up to 5.2.7, which is widely used in WordPress sites to manage featured images via external URLs. The CWE-79 classification highlights the core issue of improper input validation leading to XSS. This vulnerability is significant because it allows persistent script injection, which is more dangerous than reflected XSS due to its lasting presence on the site and potential to affect multiple users. Attackers could leverage this to steal cookies, perform actions on behalf of users, or deliver malware. The partial fix in 5.2.2 suggests that plugin maintainers attempted remediation but did not fully resolve the issue, necessitating further updates. Organizations using this plugin should monitor for updates and apply patches promptly. Additionally, limiting Contributor-level permissions and employing web application firewalls can reduce risk. The vulnerability’s exploitation requires authenticated access, which somewhat limits exposure but still poses a risk in environments with multiple contributors or where accounts may be compromised.

For European organizations, this vulnerability poses a moderate risk primarily to websites and content management systems running WordPress with the FIFU plugin installed. The ability for authenticated contributors to inject persistent malicious scripts can lead to unauthorized data access, session hijacking, and defacement, impacting the confidentiality and integrity of web content and user data. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and disrupt business operations reliant on web presence. Since many European companies and public sector entities use WordPress for their websites, especially in countries with high WordPress market share, the threat is tangible. The requirement for Contributor-level access reduces the risk from anonymous attackers but increases concern in environments with multiple content editors or where account credentials may be phished or leaked. The vulnerability could also be exploited to deliver further malware or phishing content to site visitors, amplifying the impact. Given the medium CVSS score and no current known exploits, the immediate risk is moderate but could escalate if exploits emerge. Organizations with high-value web assets or sensitive user data should prioritize mitigation to prevent potential compromise.

1. Upgrade the Featured Image from URL (FIFU) plugin to a version beyond 5.2.7 once a fully patched release is available, as the current versions up to 5.2.7 remain vulnerable despite partial fixes. 2. Until a patch is released, restrict Contributor-level permissions to trusted users only and review user roles to minimize the number of users with such access. 3. Implement strict input validation and output encoding on the server side for all user-supplied data, especially custom fields related to featured images, to prevent script injection. 4. Deploy a Web Application Firewall (WAF) with rules targeting common XSS payloads to detect and block malicious requests. 5. Conduct regular security audits and code reviews of WordPress plugins and themes to identify and remediate insecure coding practices. 6. Educate content contributors about phishing and credential security to reduce the risk of account compromise. 7. Monitor web server and application logs for unusual activity indicative of exploitation attempts. 8. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the site. 9. Backup website data regularly to enable quick restoration in case of compromise. 10. Engage with the plugin vendor or community to track vulnerability disclosures and patch availability.