WordPress Plugin Vulnerabilities

Quick Featured Images < 13.7.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Thumbnail Deletion/Setting

Description

The Quick Featured Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the set_thumbnail and delete_thumbnail functions in all versions up to, and including, 13.7.0. This makes it possible for authenticated attackers, with contributor-level access and above, to delete thumbnails and add thumbnails to posts they did not author.

Affects Plugins

Plugin icon
quick-featured-images
Fixed in 13.7.1

References

CVE
CVE-2024-3664
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5dbbd1a0-de05-4510-b06b-8bc396b65a97

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
9ff32634-4cb6-4669-a569-77210fae93ec

Timeline

Publicly Published
2024-04-22 (about 2 years ago)
Added
2024-04-22 (about 2 years ago)
Last Updated
2024-04-22 (about 2 years ago)

Other

Published
Title
Published
2025-01-24
Title
Thim Elementor Kit < 1.2.9 - Missing Authorization
Published
2023-10-06
Title
ProductX – Gutenberg WooCommerce Blocks < 3.0.0 - Missing Authorization via option_data_save
Published
2026-02-23
Title
eShipper Commerce < 2.16.13 - Missing Authorization
Published
2026-02-17
Title
Compress < 6.60.29 - Missing Authorization
Published
2024-10-24
Title
SEOPress < 8.2 - Missing Authorization