A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the Auto Featured Image plugin for WordPress. This flaw allows an unauthenticated attacker to trick the affected website's server into making unauthorized requests to internal network resources or external systems. Successful exploitation could lead to sensitive information disclosure, internal network scanning, and bypassing of firewall protections.

The vulnerability is a Server-Side Request Forgery (SSRF) within the Auto Featured Image plugin. The plugin fails to properly validate user-supplied URLs when fetching images to generate thumbnails. An attacker can submit a specially crafted URL that points to an internal IP address (e.g., 127.0.0.1, 192.168.x.x) or a cloud metadata service endpoint. The server will then process this URL and initiate a connection, allowing the attacker to map internal networks, interact with internal services that are not publicly exposed, or exfiltrate sensitive cloud credentials.

This is a High severity vulnerability with a CVSS score of 7.7. Exploitation could have a significant business impact by exposing the organization's internal network infrastructure to external attackers. Potential consequences include the theft of sensitive data from internal databases or file shares, unauthorized access to internal administrative interfaces, and the exfiltration of cloud service credentials (e.g., AWS IAM keys). This breach of the network perimeter can serve as a foothold for attackers to move laterally and launch more damaging attacks against critical internal systems, posing a direct risk to data confidentiality and integrity.

Immediate Action: Update the "Auto Featured Image (Auto Post Thumbnail)" plugin to the latest available version that addresses this vulnerability. If the plugin is not critical to business operations, a secondary recommendation is to deactivate and remove it entirely to eliminate this attack vector.

Proactive Monitoring: Monitor web server and firewall logs for any unusual outbound requests originating from the WordPress server. Specifically, look for connections to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata services (169.254.169.254). An increase in connection errors or unexpected traffic patterns from the web server should be investigated immediately.

Compensating Controls: If immediate patching is not possible, implement the following controls:

• Web Application Firewall (WAF): Deploy a WAF with rules designed to detect and block SSRF attack patterns, such as URLs containing internal or loopback IP addresses in the relevant parameters.
• Egress Filtering: Configure firewall rules to strictly control outbound traffic from the web server. Only allow connections to known, trusted external domains and block all other outbound requests, especially those destined for the internal network.

Public Exploit Available: false

Given the High severity (CVSS 7.7) of this vulnerability and its potential to expose internal networks, it is strongly recommended that organizations prioritize patching all systems running the affected WordPress plugin immediately. While this CVE is not currently on the CISA KEV catalog, the risk of information disclosure and internal reconnaissance is significant. If patching cannot be performed immediately, the compensating controls outlined above, particularly egress filtering at the network level, should be implemented as a matter of urgency to mitigate the risk.