CVE-2025-11176

by Fred · 15/10/2025

The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user’s posts.

More information : https://plugins.trac.wordpress.org/browser/quick-featured-images/tags/13.7.2/admin/class-Quick_Featured_Images_Columns.php#L506

CVE-2025-11176

Similar

Recent Posts

Categories

CVE-2025-11176

Share this:

Similar

Recent Posts

Categories

Tags