PT-2025-42230 · WordPress · Quick Featured Images
Lucas Montes
·
Published
2025-10-15
·
Updated
2025-10-15
·
CVE-2025-11176
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Quick Featured Images plugin for WordPress versions prior to 13.7.3
Description
The Quick Featured Images plugin for WordPress is susceptible to an Insecure Direct Object Reference issue in versions up to and including 13.7.2. This flaw is present in the
qfi set thumbnail and qfi delete thumbnail AJAX actions due to a lack of validation on a user-controlled key. Authenticated attackers with Author-level access or higher can exploit this to modify or remove featured images from posts belonging to other users. The vulnerable key allows direct access to objects without proper authorization checks.Recommendations
Update the Quick Featured Images plugin to version 13.7.3 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Quick Featured Images