CVE-2025-12182: CWE-284 Improper Access Control in qodeinteractive Qi Blocks
The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images.
AI Analysis
Technical Summary
CVE-2025-12182 is an improper access control vulnerability (CWE-284) in the Qi Blocks WordPress plugin caused by a missing capability check in the resize_image_callback() function. The plugin fails to verify that the user has permission to resize a specific attachment, enabling authenticated users with Contributor-level access or higher to manipulate arbitrary media library images belonging to other users. This can result in unintended file modifications, excessive disk consumption, and server resource exhaustion through processing large images. The vulnerability affects all versions up to and including 1.4.3. The CVSS 3.1 base score is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), reflecting a network attack vector with low complexity and requiring low privileges but no user interaction.
Potential Impact
Exploitation allows authenticated users with Contributor or higher privileges to resize arbitrary images in the media library, potentially causing unintended file writes and increased disk and server resource consumption. There is no direct confidentiality or availability impact reported. The main risk is resource abuse and unintended modification of media files.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Contributor-level access or higher to trusted users only. Monitor plugin updates from qodeinteractive for an official fix addressing this vulnerability.
CVE-2025-12182: CWE-284 Improper Access Control in qodeinteractive Qi Blocks
Description
The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-12182 is an improper access control vulnerability (CWE-284) in the Qi Blocks WordPress plugin caused by a missing capability check in the resize_image_callback() function. The plugin fails to verify that the user has permission to resize a specific attachment, enabling authenticated users with Contributor-level access or higher to manipulate arbitrary media library images belonging to other users. This can result in unintended file modifications, excessive disk consumption, and server resource exhaustion through processing large images. The vulnerability affects all versions up to and including 1.4.3. The CVSS 3.1 base score is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), reflecting a network attack vector with low complexity and requiring low privileges but no user interaction.
Potential Impact
Exploitation allows authenticated users with Contributor or higher privileges to resize arbitrary images in the media library, potentially causing unintended file writes and increased disk and server resource consumption. There is no direct confidentiality or availability impact reported. The main risk is resource abuse and unintended modification of media files.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Contributor-level access or higher to trusted users only. Monitor plugin updates from qodeinteractive for an official fix addressing this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-24T19:16:49.591Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6917f71bb6d0b801e4d2e75f
Added to database: 11/15/2025, 3:44:27 AM
Last enriched: 4/9/2026, 4:08:11 PM
Last updated: 5/10/2026, 1:30:16 PM
Views: 213
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.