CVE-2026-27759 | THREATINT

Description

Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources. Attackers can exploit insecure URL fetching and file write operations to retrieve sensitive internal data and store it in web-accessible upload directories.

PUBLISHED Reserved 2026-02-23 | Published 2026-02-27 | Updated 2026-02-27 | Assigner VulnCheck

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

unaffected

Any version before 1.7

affected

Credits

4lec4st finder

References

wordpress.org/plugins/featured-image-from-content/ product patch

www.vulncheck.com/...ontent-authenticated-ssrf-via-save-post third-party-advisory

cve.org (CVE-2026-27759)

nvd.nist.gov (CVE-2026-27759)

Download JSON