CVE-2025-11176
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: Wordfence

Description
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11176
EUVD
EUVD-2025-34513
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordpress quick_featured_images 13.7.2
wordpress quick_featured_images 13.7.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11176 is an Insecure Direct Object Reference (IDOR) vulnerability in the Quick Featured Images WordPress plugin up to version 13.7.2. It occurs because the plugin's AJAX handlers for setting and deleting featured images do not properly verify if the authenticated user has permission to edit the specific post. As a result, attackers with Author-level access or higher can change or remove featured images of posts they do not own by exploiting missing validation on a user-controlled key in AJAX requests. [1]

Impact Analysis

This vulnerability allows authenticated users with Author-level access or above to manipulate featured images of other users' posts without proper authorization. This can lead to unauthorized content changes, potentially damaging the appearance or integrity of your website's posts. Although it does not allow content deletion or broader access, it undermines content control and trustworthiness by enabling unauthorized image modifications. [1]

Detection Guidance

This vulnerability can be detected by monitoring AJAX requests to the WordPress plugin Quick Featured Images, specifically looking for calls to the actions 'qfi_set_thumbnail' and 'qfi_delete_thumbnail'. Detection involves checking if authenticated users with Author-level access or above are able to manipulate featured images of posts they do not own. You can inspect HTTP logs or use tools like curl or WP-CLI to simulate or observe these AJAX requests. For example, using curl to test the AJAX endpoint with different post IDs and thumbnail IDs to see if unauthorized changes are possible. However, no specific detection commands are provided in the resources. [1, 2]

Mitigation Strategies

The immediate mitigation step is to update the Quick Featured Images WordPress plugin to version 13.7.3 or later, where the vulnerability has been fixed. The fix includes proper nonce verification, parameter validation, sanitization, and per-post authorization checks to ensure only authorized users can change or delete featured images. Until the update is applied, restrict Author-level users from accessing the plugin's AJAX actions if possible, and monitor for suspicious activity related to featured image changes. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart