Quick Featured Images WordPress Plugin Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Quick Featured Images plugin for WordPress, affecting all versions through 13.7.2. The vulnerability arises from missing validation on user-controlled keys in the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions. This flaw enables authenticated attackers with Author-level access or higher to modify or delete the featured images of other users' posts.

Impact

Exploitation of this vulnerability allows for unauthorized modification or deletion of featured images on posts, potentially disrupting the visual presentation and content management of the affected posts.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access or higher can send an AJAX request to the WordPress site using the qfi_set_thumbnail or qfi_delete_thumbnail actions. The request must include a valid nonce for authentication and specify the post ID and thumbnail ID. The absence of proper validation on the user-controlled keys allows the attacker to manipulate the featured images of other users' posts.

Remediation

Users are advised to update the Quick Featured Images plugin to version 13.7.3 or a newer patched version.