CVE-2025-12019
Published
CVSS v3
4.4
MEDIUM
CVSS v2
N/A
Affected
2
PROJECTS
Description
The Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image metadata in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
GitHub<p>Add featured image to any part of the website, on each individual post/page. Very Easy to Implement. Provides you with a featured image shortcode [ featured-img ] , code and Featured Image widget.</p>
<p>Paste the Code or the Shortcode on any part of the website.</p>
<ul>
<li>Very Easy to implement.</li>
<li>Simple Shortcode Available</li>
<li>Easy code Implementation inside loop and outside loop.</li>
<li>Widge Avaliable</li>
<li>Featured Image Caption</li>
</ul>
<p><a href="https://mer.vin/wordpress-featured-image" rel="nofollow ugc">WordPress Featured Image</a> Documentation By <a href="https://mer.vin/" rel="nofollow ugc">Mervin</a> Praison<br />
<a href="https://seomanageruk.com" rel="nofollow ugc">SEO Manager</a></p>
<h3>Version history</h3>
<h4>version 2.2</h4>
<ul>
<li>Security: Fixed Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-12019)</li>
<li>Fixed: Added missing global $post in caption function</li>
<li>Improved: Enhanced security with proper output escaping</li>
</ul>
<h4>version 2.1</h4>
<ul>
<li>global $post fix</li>
</ul>
<h4>Version 2.0</h4>
<ul>
<li>Added Featured Image Caption</li>
<li>Added Alt Text for images</li>
<li>Fixed Bugs</li>
</ul>
<h4>Version 1.0</h4>
<ul>
<li>Initial release version.</li>
</ul>
WordPress Plugin Directory