The Quick Featured Images plugin for WordPress, developed by hinjiriyo, contains a vulnerability identified as CVE-2024-3664, classified under CWE-862 (Missing Authorization). This vulnerability exists because the plugin fails to perform proper capability checks in its set_thumbnail and delete_thumbnail functions. As a result, any authenticated user with contributor-level permissions or higher can add or delete featured images (thumbnails) on posts they did not author. This flaw affects all versions up to and including 13.7.0. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 base score is 4.3, indicating medium severity, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, meaning the attack vector is network-based, requires low attack complexity, privileges at the contributor level, no user interaction, unchanged scope, no confidentiality or availability impact, but low integrity impact. No patches or exploits are currently publicly available, but the risk lies in unauthorized content manipulation, which can undermine website integrity and trustworthiness.

The primary impact of this vulnerability is on the integrity of website content managed via the Quick Featured Images plugin. Unauthorized contributors can alter featured images on posts they do not own, potentially leading to misinformation, defacement, or manipulation of visual content. While this does not directly compromise confidentiality or availability, it can damage brand reputation, user trust, and content authenticity. For organizations relying heavily on WordPress for content delivery, especially those with multiple contributors, this vulnerability could be exploited to subtly alter site appearance or mislead visitors. The risk is heightened in environments where contributor roles are broadly assigned or where monitoring of content changes is insufficient.

To mitigate this vulnerability, organizations should first update the Quick Featured Images plugin to a version where this authorization issue is resolved once available. Until a patch is released, administrators should restrict contributor-level permissions or higher to trusted users only. Implementing additional access control measures, such as role hardening or custom capability checks, can prevent unauthorized thumbnail modifications. Monitoring and auditing changes to featured images can help detect suspicious activity early. Disabling the plugin temporarily may be considered if the risk is unacceptable and no patch is available. Additionally, applying web application firewalls (WAFs) with rules to detect anomalous API calls related to thumbnail changes can provide a layer of defense.