CVE-2025-11176: CWE-639 Authorization Bypass Through User-Controlled Key in kybernetikservices Quick Featured Images
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts.
AI Analysis
Technical Summary
CVE-2025-11176 describes an Insecure Direct Object Reference vulnerability in the Quick Featured Images plugin for WordPress. The issue arises from insufficient validation of a user-controlled key parameter in the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions. This allows authenticated users with Author-level privileges or above to manipulate featured images of other users' posts, bypassing intended authorization controls. The vulnerability affects all versions up to and including 13.7.2. The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low complexity, requiring privileges, no user interaction, and resulting in integrity impact without confidentiality or availability impact.
Potential Impact
An attacker with Author-level access or higher can change or remove featured images on posts they do not own, potentially leading to unauthorized content manipulation. There is no impact on confidentiality or availability reported. The integrity of post presentation is affected, which may impact site content trustworthiness or user experience.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Author-level access carefully and monitor for suspicious activity related to featured image changes. Avoid granting Author-level privileges to untrusted users. Follow vendor updates for any official patches or mitigations.
CVE-2025-11176: CWE-639 Authorization Bypass Through User-Controlled Key in kybernetikservices Quick Featured Images
Description
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-11176 describes an Insecure Direct Object Reference vulnerability in the Quick Featured Images plugin for WordPress. The issue arises from insufficient validation of a user-controlled key parameter in the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions. This allows authenticated users with Author-level privileges or above to manipulate featured images of other users' posts, bypassing intended authorization controls. The vulnerability affects all versions up to and including 13.7.2. The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low complexity, requiring privileges, no user interaction, and resulting in integrity impact without confidentiality or availability impact.
Potential Impact
An attacker with Author-level access or higher can change or remove featured images on posts they do not own, potentially leading to unauthorized content manipulation. There is no impact on confidentiality or availability reported. The integrity of post presentation is affected, which may impact site content trustworthiness or user experience.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Author-level access carefully and monitor for suspicious activity related to featured image changes. Avoid granting Author-level privileges to untrusted users. Follow vendor updates for any official patches or mitigations.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-09-29T19:57:18.202Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68ef32334e16767881e4a81e
Added to database: 10/15/2025, 5:33:39 AM
Last enriched: 4/9/2026, 3:51:50 PM
Last updated: 5/10/2026, 6:17:04 AM
Views: 122
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.