WordPress Plugin Vulnerabilities

Qi Blocks < 1.4.4 - Missing Authorization to Arbitrary Attachment Resize

Description

The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images.

Affects Plugins

Plugin icon
qi-blocks
Fixed in 1.4.4

References

CVE
CVE-2025-12182
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/41b0b12f-ff52-4913-aa54-3fbaf0839959

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Adrian Lukita
Verified
No
WPVDB ID
d97aa7d0-d50b-407d-873e-7b19063da293

Timeline

Publicly Published
2025-11-14 (about 6 months ago)
Added
2025-11-14 (about 6 months ago)
Last Updated
2025-11-15 (about 6 months ago)

Other

Published
Title
Published
2020-08-21
Title
Contact Form - Form builder by Kali Forms < 2.1.2 - Authenticated Plugin's Settings Change
Published
2021-06-18
Title
404 to 301 < 3.0.8 - Broken Access Control
Published
2024-08-26
Title
NitroPack < 1.16.8 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-02-16
Title
My Private Site < 3.1.0 - Improper Access Control to Sensitive Information Exposure via REST API
Published
2024-01-03
Title
WP-Members Membership Plugin < 3.4.9 - Contributor+ Sensitive Information Exposure