FIFU - Information Disclosure (CVE-2025-9985)

CVE-2025-9985 is a vulnerability in the Featured Image from URL (FIFU) WordPress plugin that exposes sensitive information through publicly accessible log files. This flaw allows unauthenticated attackers to access potentially confidential data, increasing the risk of information disclosure and privacy breaches on affected WordPress sites.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

CrowdSec network observations suggest that most exploitation of CVE-2025-9985 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-9985 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-9985 is currently experiencing high visibility and active exploitation across the internet.

Attackers attempt to access publicly exposed log files at /wp-content/uploads/fifu-plugin.log and /wp-content/uploads/fifu-cloud.log to retrieve sensitive information from vulnerable WordPress sites using the Featured Image from URL plugin.