WP-Safety

Featured Image from URL (FIFU) Security & Risk Analysis

wordpress.org/plugins/featured-image-from-url

Use remote media as the featured image and beyond.

70K active installs v5.3.3 PHP + WP 5.6+ Updated Feb 2, 2026
featuredimageurlvideowoocommerce
89
A · Safe
CVEs total13
Unpatched0
Last CVEJan 9, 2026
Plugin page Download
Safety Verdict

Is Featured Image from URL (FIFU) Safe to Use in 2026?

Generally Safe

Score 89/100

Featured Image from URL (FIFU) has a strong security track record. Known vulnerabilities have been patched promptly.

13 known CVEsLast CVE: Jan 9, 2026Updated 2mo ago
Risk Assessment

The "featured-image-from-url" plugin v5.3.3 presents a mixed security posture. While it demonstrates good practices in several areas, such as a high percentage of SQL queries using prepared statements and properly escaped outputs, significant concerns remain. The presence of unsanitized paths in taint analysis, coupled with the use of the dangerous `unserialize` function, opens the door to potential vulnerabilities if these flows are not carefully handled. The plugin also has a substantial attack surface, with one unprotected AJAX handler, which is a direct entry point for unauthenticated attackers.

The plugin's vulnerability history is a major red flag, with a significant number of past CVEs across various severity levels, including high and medium. This pattern suggests a recurring struggle with robust security implementations and proper input validation. While there are currently no unpatched CVEs, the historical prevalence of issues like SSRF, SQL Injection, XSS, and authorization bypass indicates a foundational weakness that could resurface.

In conclusion, despite some positive technical aspects in its current code, the plugin's extensive vulnerability history and the presence of specific code signals like `unserialize` and an unprotected AJAX endpoint warrant caution. Users should be aware of the potential risks, especially considering the historical trend of security issues within this plugin. A thorough review of how the identified unsanitized paths are handled and how the `unserialize` function is used is highly recommended.

Key Concerns

  • Unprotected AJAX handler
  • Dangerous function: unserialize
  • Flows with unsanitized paths
  • High historical CVE count (13 total)
  • Past high severity vulnerabilities
  • Past medium severity vulnerabilities (11)
Vulnerabilities
13

Featured Image from URL (FIFU) Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
2 CVEs in 2022
2022
1 CVE in 2023
2023
3 CVEs in 2024
2024
5 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
11

13 total CVEs

CVE-2025-13393medium · 4.3Server-Side Request Forgery (SSRF)

Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url'

Jan 9, 2026 Patched in 5.3.2 (2d)
CVE-2025-7400medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image Custom Fields

Oct 6, 2025 Patched in 5.2.8 (1d)
CVE-2025-9984medium · 5.3Missing Authorization

Featured Image from URL (FIFU) <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure

Sep 25, 2025 Patched in 5.2.8 (1d)
CVE-2025-10037medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Admin+) SQL Injection

Sep 25, 2025 Patched in 5.2.8 (1d)
CVE-2025-9985medium · 5.3Insertion of Sensitive Information into Log File

Featured Image from URL (FIFU) <= 5.2.7 - Unauthenticated Information Exposure via Log File

Sep 25, 2025 Patched in 5.2.8 (1d)
CVE-2025-10036medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Admin+) SQL Injection

Sep 25, 2025 Patched in 5.2.8 (1d)
CVE-2024-37516medium · 4.3Missing Authorization

Featured Image from URL <= 4.8.2 - Missing Authorization

Jul 5, 2024 Patched in 4.8.3 (6d)
CVE-2024-37276medium · 5.3Missing Authorization

Featured Image from URL <= 4.8.1 - Missing Authorization

Jun 28, 2024 Patched in 4.8.2 (5d)
CVE-2024-1496medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Featured Image from URL (FIFU) <= 4.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url

Feb 19, 2024 Patched in 4.6.3 (103d)
CVE-2023-6561medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Featured Image from URL (FIFU) <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text

Dec 14, 2023 Patched in 4.5.4 (229d)
CVE-2022-2278medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Featured Image from URL (FIFU) <= 4.0.0 - Stored Cross-Site Scripting

Jul 5, 2022 Patched in 4.0.1 (567d)
CVE-2022-2241high · 8.8Cross-Site Request Forgery (CSRF)

Featured Image from URL (FIFU) <= 3.9.9 - Cross-Site Request Forgery

Jun 30, 2022 Patched in 4.0.0 (572d)
WF-4270a5c2-abc0-4505-9683-030dc08a462d-featured-image-from-urlhigh · 7.3Missing Authorization

Featured Image from URL <= 2.7.7 - Missing Authorization on REST API routes

Dec 24, 2019 Patched in 2.7.8 (1491d)
Code Analysis
Analyzed Mar 16, 2026

Featured Image from URL (FIFU) Code Analysis

Dangerous Functions
5
Raw SQL Queries
50
152 prepared
Unescaped Output
18
101 escaped
Nonce Checks
2
Capability Checks
7
File Operations
5
External Requests
7
Bundled Libraries
0

Dangerous Functions Found

unserializeforeach (unserialize(FIFU_SETTINGS) as $i)admin\menu.php:364
unserializeforeach (unserialize(FIFU_SETTINGS) as $i) {admin\menu.php:369
unserializeforeach (unserialize(FIFU_JETPACK_SIZES) as $i)includes\jetpack.php:80
unserializeforeach (unserialize(FIFU_SPEEDUP_SIZES) as $i) {includes\speedup.php:23
unserialize$sizes = unserialize(FIFU_SPEEDUP_SIZES);includes\speedup.php:190

SQL Query Safety

75% prepared202 total queries

Output Escaping

85% escaped119 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
fifu_update_option (admin\menu.php:511)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Featured Image from URL (FIFU) Attack Surface

Entry Points38
Unprotected1

AJAX Handlers 1

authwp_ajax_get-attachmentincludes\attachment.php:409

REST API Routes 37

POST/wp-json/featured-image-from-url/v2/metadata_counter_api/admin\api.php:1136
POST/wp-json/featured-image-from-url/v2/enable_fake_api/admin\api.php:1141
POST/wp-json/featured-image-from-url/v2/disable_fake_api/admin\api.php:1146
POST/wp-json/featured-image-from-url/v2/data_clean_api/admin\api.php:1151
POST/wp-json/featured-image-from-url/v2/run_delete_all_api/admin\api.php:1156
POST/wp-json/featured-image-from-url/v2/disable_default_api/admin\api.php:1161
POST/wp-json/featured-image-from-url/v2/none_default_api/admin\api.php:1166
POST/wp-json/featured-image-from-url/v2/load-sizes-api/admin\api.php:1171
POST/wp-json/featured-image-from-url/v2/reset-sizes-api/admin\api.php:1176
POST/wp-json/featured-image-from-url/v2/save-sizes-api/admin\api.php:1181
POST/wp-json/featured-image-from-url/v2/pre_deactivate/admin\api.php:1186
POST/wp-json/featured-image-from-url/v2/feedback/admin\api.php:1191
POST/wp-json/featured-image-from-url/v2/deactivate_itself/admin\api.php:1196
GET/wp-json/featured-image-from-url/v2/rest_url_api/admin\api.php:1201
POST/wp-json/featured-image-from-url/v2/metain/admin\api.php:1206
POST/wp-json/featured-image-from-url/v2/metaout/admin\api.php:1227
GET/wp-json/featured-image-from-url/v1/url/(?P<post_id>\d+)admin\api.php:1249
POST/wp-json/featured-image-from-url/v2/create_thumbnails_list/admin\api.php:1255
POST/wp-json/featured-image-from-url/v2/sign_up/admin\api.php:1260
POST/wp-json/featured-image-from-url/v2/connected/admin\api.php:1265
POST/wp-json/featured-image-from-url/v2/reset_credentials/admin\api.php:1270
POST/wp-json/featured-image-from-url/v2/list_all_su/admin\api.php:1275
POST/wp-json/featured-image-from-url/v2/list_all_fifu/admin\api.php:1280
POST/wp-json/featured-image-from-url/v2/list_all_media_library/admin\api.php:1285
POST/wp-json/featured-image-from-url/v2/list_daily_count/admin\api.php:1290
POST/wp-json/featured-image-from-url/v2/delete/admin\api.php:1295
POST/wp-json/featured-image-from-url/v2/cancel/admin\api.php:1300
POST/wp-json/featured-image-from-url/v2/payment_info/admin\api.php:1305
POST/wp-json/featured-image-from-url/v2/cloud_upload_auto/admin\api.php:1310
POST/wp-json/featured-image-from-url/v2/cloud_delete_auto/admin\api.php:1315
POST/wp-json/featured-image-from-url/v2/cloud_hotlink/admin\api.php:1320
GET/wp-json/featured-image-from-url/v2/debug-slug/(?P<slug>[a-z0-9-_]+)admin\debug.php:70
GET/wp-json/featured-image-from-url/v2/debug-postmeta/(?P<post_id>\d+)admin\debug.php:85
GET/wp-json/featured-image-from-url/v2/debug-posts/(?P<id>\d+)admin\debug.php:100
GET/wp-json/featured-image-from-url/v2/debug-metain/admin\debug.php:115
GET/wp-json/featured-image-from-url/v2/debug-metaout/admin\debug.php:122
GET/wp-json/featured-image-from-url/v2/debug-log/(?P<type>(cloud|plugin))admin\debug.php:129
WordPress Hooks 100
actionrest_api_initadmin\api.php:1135
actioninitadmin\block.php:37
actionrest_after_insert_postadmin\block.php:51
actioninitadmin\block.php:72
actionproduct_cat_edit_form_fieldsadmin\category.php:9
actionproduct_cat_add_form_fieldsadmin\category.php:10
actionedited_product_catadmin\category.php:53
actioncreated_product_catadmin\category.php:54
actionwp_insert_postadmin\cli-commands.php:246
actionadmin_initadmin\column.php:5
filteradmin_headadmin\column.php:6
actionadmin_footeradmin\column.php:7
filtermanage_posts_columnsadmin\column.php:19
filtermanage_pages_columnsadmin\column.php:20
filtermanage_edit-product_cat_columnsadmin\column.php:21
actionmanage_posts_custom_columnadmin\column.php:23
actionmanage_pages_custom_columnadmin\column.php:24
actionmanage_product_cat_custom_columnadmin\column.php:25
filtercron_schedulesadmin\cron.php:19
actionfifu_create_cloud_upload_auto_eventadmin\cron.php:35
actionfifu_create_cloud_delete_auto_eventadmin\cron.php:48
actionrest_api_initadmin\debug.php:69
filterimage_downsizeadmin\dimensions.php:106
filterimage_downsizeadmin\dimensions.php:161
actioninitadmin\languages.php:3
actionupdated_optionadmin\log.php:60
actionadmin_menuadmin\menu.php:9
actionnetwork_admin_menuadmin\menu.php:11
actionadmin_initadmin\menu.php:109
actionadd_meta_boxesadmin\meta-box.php:2
actionadd_meta_boxesadmin\meta-box.php:21
actionadd_meta_boxesadmin\meta-box.php:90
actionsave_postadmin\meta-box.php:130
actionbefore_delete_postadmin\meta-box.php:264
filterduplicate_post_meta_keys_filteradmin\meta-box.php:337
filterwoobe_before_update_product_fieldadmin\meta-box.php:341
actiondokan_new_product_after_product_tagsadmin\meta-box.php:352
actiondokan_product_edit_after_product_tagsadmin\meta-box.php:366
actiondokan_new_product_addedadmin\meta-box.php:381
actiondokan_product_updatedadmin\meta-box.php:382
actionmvx_product_manager_right_panel_afteradmin\meta-box.php:398
actionmvx_process_product_objectadmin\meta-box.php:416
filterdfrps_do_import_product_thumbnail/do_importadmin\meta-box.php:426
filteris_protected_metaadmin\meta-box.php:438
actionadmin_initadmin\review.php:5
actionadmin_noticesadmin\review.php:6
actionin_admin_headeradmin\review.php:7
actionvg_sheet_editor/editor/register_columnsadmin\sheet-editor.php:3
actionplugins_loadedadmin\sheet-editor.php:50
actionwidgets_initadmin\widgets.php:100
actionadmin_head-widgets.phpadmin\widgets.php:108
actionwcml_after_duplicate_product_post_metaadmin\wpml.php:18
actionwcml_after_sync_product_dataadmin\wpml.php:22
actionicl_make_duplicateadmin\wpml.php:26
actionwpml_after_copy_custom_fieldadmin\wpml.php:36
actioninitelementor\elementor-fifu-extension.php:19
actionelementor/widgets/registerelementor\elementor-fifu-extension.php:22
actionelementor/controls/registerelementor\elementor-fifu-extension.php:23
actionelementor/frontend/after_enqueue_scriptselementor\elementor-fifu-extension.php:26
actionelementor/editor/after_saveelementor\widgets\widget.php:130
actionadmin_initfeatured-image-from-url.php:127
actionupgrader_process_completefeatured-image-from-url.php:156
filterplugin_row_metafeatured-image-from-url.php:196
actionadmin_footerfeatured-image-from-url.php:241
actionbefore_woocommerce_initfeatured-image-from-url.php:244
filtergform_tooltipsgravity-forms\class-gffifufieldaddon.php:46
actiongform_field_appearance_settingsgravity-forms\class-gffifufieldaddon.php:47
actiongform_loadedgravity-forms\fifufieldaddon.php:5
filterget_attached_fileincludes\attachment.php:5
filterwp_get_attachment_urlincludes\attachment.php:53
filterposts_whereincludes\attachment.php:61
filterposts_whereincludes\attachment.php:70
filterwp_get_attachment_image_srcincludes\attachment.php:77
actiontemplate_redirectincludes\attachment.php:182
filterwp_get_attachment_metadataincludes\attachment.php:315
actionsave_postincludes\external-post.php:3
filterjetpack_photon_skip_imageincludes\jetpack.php:206
filterwp_headincludes\thumbnail-category.php:3
filterwp_headincludes\thumbnail.php:5
actionwpseo_opengraph_imageincludes\thumbnail.php:10
actionwpseo_twitter_imageincludes\thumbnail.php:11
actionwpseo_add_opengraph_imagesincludes\thumbnail.php:12
filterwp_headincludes\thumbnail.php:14
actionwp_headincludes\thumbnail.php:17
actionwp_headincludes\thumbnail.php:20
filterwp_headincludes\thumbnail.php:22
filterwp_get_attachment_image_attributesincludes\thumbnail.php:156
filterwoocommerce_product_get_imageincludes\thumbnail.php:192
filterpost_thumbnail_htmlincludes\thumbnail.php:200
filterthe_contentincludes\thumbnail.php:292
filterthe_contentincludes\thumbnail.php:330
filterthe_contentincludes\thumbnail.php:347
actionpre_rss2_nsincludes\thumbnail.php:482
actionrss2_nsincludes\thumbnail.php:487
actionrss2_itemincludes\thumbnail.php:500
filterposts_resultsincludes\thumbnail.php:539
filterwpseo_schema_graphincludes\thumbnail.php:576
filterrank_math/opengraph/facebook/imageincludes\thumbnail.php:578
filterrank_math/opengraph/twitter/imageincludes\thumbnail.php:586
actionwoocommerce_product_duplicateincludes\woo.php:15

Scheduled Events 2

fifu_create_cloud_upload_auto_event
fifu_create_cloud_delete_auto_event
Maintenance & Trust

Featured Image from URL (FIFU) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 2, 2026
PHP min version
Downloads7.2M

Community Trust

Rating92/100
Number of ratings258
Active installs70K
Alternatives

Featured Image from URL (FIFU) Alternatives

Product Gallery Slider, Additional Variation Images, Product Video, Product Image Zoom and Lightbox for WooCommerce – WooGallery

Product Gallery Slider, Additional Variation Images, Product Video, Product Image Zoom and Lightbox for WooCommerce – WooGallery

gallery-slider-for-woocommerce

A
100

🔥 All-in-One WooCommerce Product Image and Video Gallery Solution to Enhance Your Customers' Shopping Experience and Boost Sales Instantly! 🚀

20K No CVEs
YITH WooCommerce Featured Video

YITH WooCommerce Featured Video

yith-woocommerce-featured-video

A
99

YITH WooCommerce Featured Video allows you to place a video in the product detail page instead of the featured image.

3K 1 CVE
External Thumbnail

External Thumbnail

external-thumbnail

A
85

Using external images from anywhere to make thumbnail

10K No CVEs
Featured Video Plus

Featured Video Plus

featured-video-plus

A
85

Add Featured Videos to your posts and pages. Works like magic with most themes which use Featured Images. Local Media, YouTube, Vimeo and many more.

10K No CVEs
Automatic Featured Images from Videos

Automatic Featured Images from Videos

automatic-featured-images-from-videos

A
98

If a YouTube or Vimeo video embed exists near the start of a post, we'll automatically set the post's featured image to a thumbnail of the video.

8K 2 CVEs
Developer Profile

Featured Image from URL (FIFU) Developer Profile

fifu.app

1 plugin · 70K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
229 days
View full developer profile
Detection Fingerprints

How We Detect Featured Image from URL (FIFU)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/featured-image-from-url/assets/css/backend-style.css/wp-content/plugins/featured-image-from-url/assets/css/backend-style.min.css/wp-content/plugins/featured-image-from-url/assets/css/frontend-style.css/wp-content/plugins/featured-image-from-url/assets/css/frontend-style.min.css/wp-content/plugins/featured-image-from-url/assets/js/backend-script.js/wp-content/plugins/featured-image-from-url/assets/js/backend-script.min.js/wp-content/plugins/featured-image-from-url/assets/js/frontend-script.js/wp-content/plugins/featured-image-from-url/assets/js/frontend-script.min.js
Script Paths
/wp-content/plugins/featured-image-from-url/assets/js/backend-script.js/wp-content/plugins/featured-image-from-url/assets/js/backend-script.min.js/wp-content/plugins/featured-image-from-url/assets/js/frontend-script.js/wp-content/plugins/featured-image-from-url/assets/js/frontend-script.min.js
Version Parameters
featured-image-from-url/assets/css/backend-style.css?ver=featured-image-from-url/assets/css/backend-style.min.css?ver=featured-image-from-url/assets/css/frontend-style.css?ver=featured-image-from-url/assets/css/frontend-style.min.css?ver=featured-image-from-url/assets/js/backend-script.js?ver=featured-image-from-url/assets/js/backend-script.min.js?ver=featured-image-from-url/assets/js/frontend-script.js?ver=featured-image-from-url/assets/js/frontend-script.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
fifu-image-wrapfifu-placeholder
HTML Comments
<!-- FIFU END -->
Data Attributes
data-fifu-iddata-fifu-containerdata-fifu-alt
JS Globals
fifu_plugin_urlfifu_plugin_ajax_urlfifu_settingsfifu_multisite_id
REST Endpoints
/wp-json/fifu/v1/attachments/wp-json/fifu/v1/import/wp-json/fifu/v1/meta
Shortcode Output
[fifu
FAQ

Frequently Asked Questions about Featured Image from URL (FIFU)