CVE-2026-27759 identifies a Server-Side Request Forgery (SSRF) vulnerability in the WordPress plugin 'Featured Image from Content' developed by Dhrumil Kumbhani, affecting versions prior to 1.7. SSRF vulnerabilities occur when an attacker can abuse server functionality to make HTTP requests to internal or external systems that the server can access but the attacker normally cannot. In this case, the plugin allows authenticated users with Author-level privileges to specify URLs for fetching images to be used as featured images. Due to insufficient validation and insecure handling of URL fetching and file write operations, an attacker can craft requests to internal HTTP resources, such as internal APIs, metadata services, or other sensitive endpoints within the hosting environment. The fetched data can then be written to web-accessible upload directories, enabling attackers to exfiltrate sensitive internal information by accessing these files externally. The vulnerability requires authentication at the Author level but does not require user interaction beyond that. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and privileges required at the low level (PR:L), with limited impact on confidentiality and integrity but some impact on availability. No public exploits or patches are currently reported, indicating the vulnerability is newly disclosed. This vulnerability highlights the risks of improper input validation and insecure resource fetching in web applications, especially plugins that handle external content integration.

The primary impact of this vulnerability is unauthorized access to internal HTTP resources that are normally inaccessible from outside the hosting environment. Attackers with Author-level access can exploit this to retrieve sensitive internal data such as configuration files, internal APIs, or metadata services. By writing this data to web-accessible upload directories, attackers can exfiltrate information without direct network access to internal systems. This can lead to information disclosure, which may facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of internal services. The vulnerability could also be leveraged to access cloud metadata endpoints in cloud-hosted environments, potentially exposing credentials or tokens. Although the attack requires authenticated Author-level access, many WordPress sites allow user registrations or have multiple authors, increasing the attack surface. The vulnerability does not directly allow remote code execution or denial of service but can compromise confidentiality and integrity of internal data. Organizations running WordPress sites with this plugin are at risk of internal data leakage, which can impact compliance, privacy, and security posture.

Organizations should immediately audit their WordPress installations for the presence of the 'Featured Image from Content' plugin and verify the version in use. Until a patched version (1.7 or later) is released, restrict Author-level user permissions to trusted individuals only and consider temporarily disabling the plugin if possible. Implement strict input validation and URL whitelisting to prevent SSRF exploitation. Monitor web-accessible upload directories for unusual files or data that may indicate exploitation attempts. Employ web application firewalls (WAFs) with rules to detect and block SSRF patterns targeting internal resources. Review and harden internal network segmentation to limit access to sensitive internal HTTP services from the web server. Enable logging and alerting on suspicious file writes and unusual HTTP requests originating from the WordPress server. Once a patch is available, apply it promptly. Additionally, educate site administrators about the risks of granting Author-level privileges and enforce the principle of least privilege.