Vulnerabilities and security researches forquick-featured-images quick-featured-images

Jun 06, 2024

CVE, Research URL: CVE-2024-3664
Home page URL: Security reports for Quick Featured Images
Application: Quick Featured Images
Date: Apr 23, 2024
Research Description: The Quick Featured Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the set_thumbnail and delete_thumbnail functions in all versions up to, and including, 13.7.0. This makes it possible for authenticated attackers, with contributor-level access and above, to delete thumbnails and add thumbnails to posts they did not author.
Affected versions: max 13.7.1.
Status: vulnerable

Nov 11, 2025

CVE, Research URL: CVE-2025-11176
Home page URL: Security reports for Quick Featured Images
Application: Quick Featured Images
Date: Oct 15, 2025
Research Description: The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts.
Affected versions: max 13.7.3.
Status: vulnerable