Medium severity4.3NVD Advisory· Published Apr 23, 2024· Updated Jun 17, 2026
CVE-2024-3664
CVE-2024-3664
Description
The Quick Featured Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the set_thumbnail and delete_thumbnail functions in all versions up to, and including, 13.7.0. This makes it possible for authenticated attackers, with contributor-level access and above, to delete thumbnails and add thumbnails to posts they did not author.
Affected products
2<=13.7.0+ 1 more
- (no CPE)range: <=13.7.0
- (no CPE)range: <=13.7.0
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.