CVE-2025-4431: 
WordPress vulnerability analysis and mitigation

The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data (CVE-2025-4431) due to a missing capability check in the fipsaveattach_featured function. This vulnerability affects all versions up to and including 1.6.3, discovered and disclosed on May 30, 2025 (NVD).

The vulnerability stems from improper access control (CWE-284) in the fipsaveattach_featured function. The plugin fails to properly validate user capabilities, allowing authenticated users with Subscriber-level access or higher to modify featured images of any post. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level privileges or higher to modify the featured image of any post in the WordPress installation, potentially leading to unauthorized content modifications and visual defacement of the website (NVD).

Website administrators running affected versions of the Featured Image Plus plugin should update to a version newer than 1.6.3 when available. Until then, it is recommended to restrict user roles and carefully review user permissions to minimize potential exploitation (NVD).