CVE-2025-7400: 
WordPress vulnerability analysis and mitigation

The Featured Image from URL (FIFU) plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-7400) affecting all versions up to and including 5.2.7. The vulnerability was discovered and disclosed on October 7, 2025, impacting the plugin's Featured Image custom fields functionality (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the Featured Image custom fields. It has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required low-level privileges (AttackerKB).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft or user session hijacking (NVD).

A partial fix was implemented in version 5.2.2, though the vulnerability remained exploitable through version 5.2.7. Users are advised to update to the latest version of the FIFU plugin that addresses this vulnerability (NVD).