FIFU - Information Disclosure (CVE-2025-9985)
42Exploiting IPs reported
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
CrowdSec analysis
CVE-2025-9985 is a vulnerability in the Featured Image from URL (FIFU) WordPress plugin that exposes sensitive information through publicly accessible log files. This flaw allows unauthenticated attackers to access potentially confidential data, increasing the risk of information disclosure and privacy breaches on affected WordPress sites.
CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.
Data from the CrowdSec community indicates that exploitation of CVE-2025-9985 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. In addition, according to the CrowdSec network, attack volume against CVE-2025-9985 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.
Attackers attempt to access publicly exposed log files at /wp-content/uploads/fifu-plugin.log and /wp-content/uploads/fifu-cloud.log to retrieve sensitive information from vulnerable WordPress sites using the Featured Image from URL plugin.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.