Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Network-reachable via plugin URL fetch; low-privilege auth required; high complexity for useful internal endpoint identification; scope change confirmed by SSRF reaching beyond WordPress boundary.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Server-Side Request Forgery (SSRF) vulnerability in Themeisle Auto Featured Image (Auto Post Thumbnail) auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through <= 5.0.4.
AnalysisAI
Server-Side Request Forgery in the Themeisle Auto Featured Image (Auto Post Thumbnail) WordPress plugin through version 5.0.4 enables authenticated low-privilege users to coerce the server into issuing arbitrary outbound HTTP requests to attacker-controlled destinations, including internal network resources. The CVSS scope change (S:C) confirms the vulnerability can reach resources outside the WordPress application boundary - such as cloud metadata endpoints, internal APIs, or services on the hosting network. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid low-privilege WordPress account on the target site (reflected in CVSS PR:L) - anonymous or unauthenticated exploitation is not possible with this vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS base score of 4.9 (Medium) reflects a realistic risk posture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privilege WordPress account (such as a contributor or author) submits a post or triggers the plugin's image-fetch function using a crafted URL pointing to the cloud instance metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/). The server fetches the URL and, depending on how the plugin handles the response, may expose partial response content or confirm the existence of internal services, potentially leading to credential disclosure from the metadata service. … |
| Remediation | The primary remediation is to update the Auto Featured Image (Auto Post Thumbnail) plugin to a version beyond 5.0.4; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/auto-post-thumbnail/vulnerability/wordpress-auto-featured-image-auto-post-thumbnail-plugin-5-0-4-server-side-request-forgery-ssrf-vulnerability for the confirmed patched version, as the input data does not specify an exact fix version - patched release not independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43439