CVE-2025-9984 identifies a missing authorization vulnerability (CWE-862) in the Featured Image from URL (FIFU) WordPress plugin developed by marceljm. The vulnerability exists in the fifu_api_debug_posts() function, which lacks a capability check to verify whether the requesting user has permission to access certain post data. This flaw affects all versions up to and including 5.2.7. Due to this missing authorization, unauthenticated attackers can invoke this function to read private or password-protected posts, thereby exposing sensitive content that should otherwise be restricted. The vulnerability does not require any user interaction or authentication, making it remotely exploitable over the network with low attack complexity. The CVSS 3.1 base score is 5.3, indicating a medium severity primarily due to confidentiality impact without affecting integrity or availability. No public exploits have been reported yet, but the vulnerability’s presence in a popular WordPress plugin increases the risk of future exploitation. The plugin’s widespread use in WordPress sites globally means that many websites could be vulnerable if they have not updated to a patched version or applied mitigations. The vulnerability highlights the importance of implementing proper authorization checks in API endpoints to prevent unauthorized data disclosure.

The primary impact of CVE-2025-9984 is unauthorized disclosure of private or password-protected WordPress posts, which can lead to leakage of sensitive or confidential information. This can damage the reputation of affected organizations, expose proprietary or personal data, and potentially facilitate further attacks by revealing internal content. Since the vulnerability does not affect data integrity or availability, the risk is confined to confidentiality breaches. However, the ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and exploitation attempts. Organizations running websites with the FIFU plugin are at risk of data leakage, which can affect customer trust and compliance with data protection regulations. The impact is especially significant for websites hosting sensitive content such as corporate communications, membership-only content, or private client information. Although no known exploits exist in the wild currently, the vulnerability’s presence in a widely used plugin makes it a target for attackers seeking to harvest confidential data from WordPress sites.

1. Immediately update the Featured Image from URL (FIFU) plugin to the latest version once a patch is released by the vendor to address the missing authorization check. 2. If a patch is not yet available, disable or remove the FIFU plugin temporarily to prevent exploitation. 3. Implement Web Application Firewall (WAF) rules to monitor and block suspicious requests targeting the fifu_api_debug_posts() function or related API endpoints. 4. Restrict access to WordPress REST API endpoints by IP address or require authentication where feasible to limit exposure. 5. Conduct a thorough audit of private and password-protected posts to identify any unauthorized access or data leakage. 6. Monitor web server and application logs for unusual access patterns or repeated requests to the vulnerable API function. 7. Educate site administrators about the importance of plugin updates and secure configuration to prevent similar vulnerabilities. 8. Consider implementing additional access control plugins or custom code to enforce capability checks on sensitive API functions until the official fix is applied.