CVE-2025-11176
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | quick_featured_images | 13.7.2 |
| wordpress | quick_featured_images | 13.7.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11176 is an Insecure Direct Object Reference (IDOR) vulnerability in the Quick Featured Images WordPress plugin up to version 13.7.2. It occurs because the plugin's AJAX handlers for setting and deleting featured images do not properly verify if the authenticated user has permission to edit the specific post. As a result, attackers with Author-level access or higher can change or remove featured images of posts they do not own by exploiting missing validation on a user-controlled key in AJAX requests. [1]
How can this vulnerability impact me? :
This vulnerability allows authenticated users with Author-level access or above to manipulate featured images of other users' posts without proper authorization. This can lead to unauthorized content changes, potentially damaging the appearance or integrity of your website's posts. Although it does not allow content deletion or broader access, it undermines content control and trustworthiness by enabling unauthorized image modifications. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring AJAX requests to the WordPress plugin Quick Featured Images, specifically looking for calls to the actions 'qfi_set_thumbnail' and 'qfi_delete_thumbnail'. Detection involves checking if authenticated users with Author-level access or above are able to manipulate featured images of posts they do not own. You can inspect HTTP logs or use tools like curl or WP-CLI to simulate or observe these AJAX requests. For example, using curl to test the AJAX endpoint with different post IDs and thumbnail IDs to see if unauthorized changes are possible. However, no specific detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Quick Featured Images WordPress plugin to version 13.7.3 or later, where the vulnerability has been fixed. The fix includes proper nonce verification, parameter validation, sanitization, and per-post authorization checks to ensure only authorized users can change or delete featured images. Until the update is applied, restrict Author-level users from accessing the plugin's AJAX actions if possible, and monitor for suspicious activity related to featured image changes. [1]