Quick Featured Images < 13.7.3 – Insecure Direct Object Reference to Image Manipulation | CVE 2025-11176 | Plugin Vulnerabilities

Description

The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts.

Affects Plugins

quick-featured-images

Fixed in 13.7.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f9a1cfc-5e52-40da-bb9d-8f2b46d37c8c

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucas Montes (Nirox)

Verified

No

WPVDB ID

5a45eab6-5eee-4ac9-a614-9d4f7c435e8f

Timeline

Publicly Published

2025-10-14 (about 7 months ago)

Added

2025-10-14 (about 7 months ago)

Last Updated

2025-10-15 (about 7 months ago)

Other

Published

Title

Published

2024-12-03

Title

Dollie Hub – Build Your Own WordPress Cloud Platform < 6.2.1 - Authenticated (Contributor+) Post Disclosure

Published

2024-03-29

Title

Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2025-09-09

Title

WPGYM - Wordpress Gym Management System <= 67.7.0 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

Published

2026-02-02

Title

Tutor LMS < 3.9.6 - Instructor+ Arbitrary Course Modification and Deletion via IDOR

Published

2026-05-13

Title

Fluent Forms < 6.2.1 - Form Manager+ Authorization Bypass via 'table' Parameter