CVE-2025-11176: 
WordPress vulnerability analysis and mitigation

The Quick Featured Images plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CVE-2025-11176) in versions up to and including 13.7.2. The vulnerability was discovered by Lucas Montes (Nirox) at Wordfence and disclosed on October 14, 2025. The vulnerability affects the qfisetthumbnail and qfideletethumbnail AJAX actions due to missing validation on a user-controlled key (NVD CVE).

The vulnerability exists in the AJAX actions qfisetthumbnail and qfideletethumbnail which lack proper validation of user-controlled input. This allows authenticated users with Author-level access or above to manipulate featured images of posts owned by other users. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (Wordfence).

The vulnerability allows authenticated attackers with Author-level privileges or higher to change or remove featured images from posts that they should not have access to. This could lead to unauthorized modification of other users' content (NVD CVE).

The vulnerability has been patched in version 13.7.3 of the Quick Featured Images plugin. Users are advised to update to this version immediately. The patch includes improved validation of user permissions and input sanitization (WordPress Plugin).