CVE-2025-5818: 
WordPress vulnerability analysis and mitigation

The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 1.6.4. The vulnerability was discovered and disclosed on July 22, 2025, and is tracked as CVE-2025-5818. The issue exists in the fipgetimage_options() function and affects WordPress installations using the vulnerable plugin versions (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-918 (Server-Side Request Forgery). The vulnerability exists in the fipgetimage_options() function, which allows authenticated users with administrator-level access to make web requests to arbitrary locations originating from the web application (Wordfence).

The vulnerability allows authenticated attackers with administrator-level access to make web requests to arbitrary locations originating from the web application. This can potentially be used to query and modify information from internal services, potentially exposing sensitive information or allowing unauthorized access to internal resources (NVD).

Users should update the Featured Image Plus – Quick & Bulk Edit with Unsplash plugin to a version newer than 1.6.4 to address this vulnerability. The vulnerability has been fixed in subsequent releases (NVD).