CVE-2025-13393
Server-Side Request Forgery in FIFU WordPress Plugin
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpbeaverbuilder | fifu | to 5.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) in the Featured Image from URL (FIFU) plugin for WordPress, affecting all versions up to 5.3.1. It occurs because the plugin does not properly validate user-supplied URLs before using them in the getimagesize() function within the Elementor widget integration. This allows authenticated users with Contributor-level access or higher to make web requests from the web application to arbitrary locations.
How can this vulnerability impact me? :
An attacker with Contributor-level access or higher can exploit this vulnerability to make the web application send requests to arbitrary internal or external locations. This can be used to query or modify information from internal services that are otherwise inaccessible, potentially leading to unauthorized data access or manipulation.