{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11176", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-29T19:57:18.202Z", "datePublished": "2025-10-15T05:23:48.130Z", "dateUpdated": "2026-04-08T16:52:07.130Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:07.130Z"}, "affected": [{"vendor": "kybernetikservices", "product": "Quick Featured Images", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "13.7.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts."}], "title": "Quick Featured Images <= 13.7.2 - Insecure Direct Object Reference to Image Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f9a1cfc-5e52-40da-bb9d-8f2b46d37c8c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quick-featured-images/tags/13.7.2/admin/class-Quick_Featured_Images_Columns.php#L506"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3376996%40quick-featured-images%2Ftrunk&old=3271680%40quick-featured-images%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "timeline": [{"time": "2025-10-14T17:12:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T18:15:11.881156Z", "id": "CVE-2025-11176", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T18:15:24.306Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11176", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T18:15:11.881156Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T18:15:20.849Z"}}], "cna": {"title": "Quick Featured Images <= 13.7.2 - Insecure Direct Object Reference to Image Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "kybernetikservices", "product": "Quick Featured Images", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "13.7.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T17:12:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f9a1cfc-5e52-40da-bb9d-8f2b46d37c8c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/quick-featured-images/tags/13.7.2/admin/class-Quick_Featured_Images_Columns.php#L506"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3376996%40quick-featured-images%2Ftrunk&old=3271680%40quick-featured-images%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:07.130Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11176", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:07.130Z", "dateReserved": "2025-09-29T19:57:18.202Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T05:23:48.130Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts."}], "id": "CVE-2025-11176", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T06:15:38.163", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/quick-featured-images/tags/13.7.2/admin/class-Quick_Featured_Images_Columns.php#L506"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3376996%40quick-featured-images%2Ftrunk&old=3271680%40quick-featured-images%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f9a1cfc-5e52-40da-bb9d-8f2b46d37c8c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:09:43.689088+00:00", "value": {"mitigation_remediation": ["Upgrade Quick Featured Images to a version newer than 13.7.2 to receive the authoritative fix.", "If an upgrade is not immediately possible, disable or restrict the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions for author\u2011level users by applying role\u2011based access controls or custom code that blocks the requests.", "Remove the plugin entirely or deactivate it until a patched version is available, if the functionality is not critical."], "summary": {"action": "Patch", "impact": "Unauthorized Image Manipulation"}, "threat_synthesis": {"affected_systems": "The affected product is the Quick Featured Images WordPress plugin, version 13.7.2 and earlier. The issue affects any WordPress installation that has this plugin installed and grants at least author\u2011level access to users.", "description_and_impact": "The Quick Featured Images plugin for WordPress is vulnerable to an insecure direct object reference in all versions up to 13.7.2. The vulnerability stems from missing validation on a user\u2011controlled key for the AJAX actions qfi_set_thumbnail and qfi_delete_thumbnail. Authenticated users with author-level access or higher can therefore change or delete other users\u2019 featured images, compromising the integrity of published content. This weakness is classified as CWE\u2011639, a broken access control flaw.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low to moderate severity. The EPSS score of <\u202f1% suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be authenticated: an attacker must possess a legitimate WordPress user account with author or higher permissions to exploit the flaw."}}}}, "created": "2025-10-20T13:26:57.506390+00:00", "updated": "2026-04-22T13:15:17.848078+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}