CVE-2025-4431: 
WordPress vulnerability analysis and mitigation

The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress contains a vulnerability (CVE-2025-4431) discovered on May 30, 2025. The vulnerability affects all versions up to and including 1.6.3, stemming from a missing capability check in the fip_save_attach_featured function. This security flaw allows authenticated users with Subscriber-level access or higher to modify featured images of any post within the WordPress installation (NVD, Wiz).

The vulnerability is classified as an improper access control issue (CWE-284) and missing authorization (CWE-862). It has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The technical root cause lies in the fip_save_attach_featured function's failure to properly validate user capabilities before allowing modifications to featured images (NVD, Wiz).

The vulnerability enables authenticated attackers with Subscriber-level privileges or higher to modify the featured image of any post in the WordPress installation. This can lead to unauthorized content modifications and potential visual defacement of the website (Wiz).

Website administrators running affected versions of the Featured Image Plus plugin should update to a version newer than 1.6.3 when available. In the interim, it is recommended to restrict user roles and carefully review user permissions to minimize potential exploitation (Wiz).