PT-2025-45562 · WordPress · Quick Featured Images
Published
2025-11-08
·
Updated
2025-11-08
·
CVE-2025-11980
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Quick Featured Images plugin for WordPress versions prior to 13.7.4
Description
The Quick Featured Images plugin for WordPress is susceptible to SQL Injection through the
delete orphaned function. This is due to inadequate escaping of user-supplied parameters and insufficient preparation of the existing SQL query. Authenticated attackers with Editor-level access or higher can append additional SQL queries to existing ones, potentially extracting sensitive information from the database if they can convince an author-level user or higher to add a malicious custom field value.Recommendations
Update the Quick Featured Images plugin to version 13.7.4 or later.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Quick Featured Images