cleantalk
Vulnerabilities and Security Researches

Quick Featured Images, CVE-2025-11176

CVE, Research URL

CVE-2025-11176

Home page URL

Security reports for Quick Featured Images

Application

Quick Featured Images

Published on
Oct 15, 2025
Research Description
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts.
Affected versions
max 13.7.3.
Status
vulnerable
Previous vulnerability researches
Memberlite Shortcodes (CVE-2023-5237) , Jun 07, 2024
Memberlite Shortcodes (c35d1c7ca3f51b7af6a1ca01d23fd36f0cf6fff8) , Jun 07, 2024
Memberlite Shortcodes (CVE-2025-48087) , Nov 10, 2025
Memberlite Shortcodes (CVE-2024-11227) , Nov 25, 2024
Memberlite Shortcodes (CVE-2025-10125) , Oct 11, 2025
New vulnerability
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscription (CVE-2025-62023) , Nov 11, 2025
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscription (CVE-2025-58998) , Nov 11, 2025
Favorites (CVE-2025-60202) , Nov 11, 2025
Child Themes (CVE-2025-52755) , Nov 11, 2025
Premmerce Wishlist for WooCommerce (CVE-2025-60191) , Nov 11, 2025