CVE Alert: CVE-2025-10145 – themeisle – Auto Featured Image (Auto Post Thumbnail)
CVE-2025-10145
The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.7 via the upload_to_library function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieval.
AI Summary Analysis
Risk verdict
High risk: authenticated SSRF in a WordPress plugin could reach internal services; patching should be prioritised.
Why this matters
An Author+ user can trigger requests from the server to arbitrary destinations, potentially exposing internal services or cloud metadata. This enables confidentiality impact and could facilitate data discovery or exfiltration within the hosting environment, especially on cloud deployments where metadata access is possible.
Most likely attack path
Attack requires Author+ credentials and involves using the plugin’s upload_to_library pathway to cause server-side requests. No additional user interaction is needed beyond authentication. The SSRF scope implies that a compromised instance could affect other components or services the app can reach, increasing potential impact beyond the plugin itself.
Who is most exposed
Self-hosted WordPress sites using Auto Featured Image (Auto Post Thumbnail), particularly on cloud or hosted environments with metadata endpoints or internal services reachable from the web server, and with author-level accounts enabled.
Detection ideas
- Outbound requests from the WordPress host to internal IPs or non-public endpoints.
- Logs showing upload_to_library activity paired with unusual target URLs.
- Access patterns from Author+ accounts performing image/library operations that trigger internal scans.
- Attempts to reach cloud metadata endpoints or internal service URLs from the server.
Mitigation and prioritisation
- Patch to v4.1.7 or newer; if unavailable, disable the plugin or revert to a version without SSRF risk.
- Restrict outbound traffic from the web server to known-good destinations; implement egress filtering and SSRF-reducing WAF rules.
- Enforce least privilege for author accounts; auditing and rotation of credentials.
- Apply test deployment in staging before production change; coordinate with change management.
- If KEV is true or EPSS ≥ 0.5, treat as priority 1.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
