SQL Injection Vulnerability in Quick Featured Images Plugin for WordPress
CVE-2025-11980

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Quick Featured Images
Vendor: CVE Published:; 8 November 2025

What is CVE-2025-11980?

The Quick Featured Images plugin for WordPress contains an SQL Injection vulnerability within the 'delete_orphaned' function, present in all versions up to and including 13.7.3. This security flaw arises from inadequate parameter escaping and insufficient preparation of the existing SQL query. Authenticated attackers, possessing Editor-level access or higher, can exploit this vulnerability to insert additional SQL commands into existing queries. This could enable them to extract sensitive database information, provided they manipulate an author-level user or above into adding a malicious custom field value.

Affected Version(s)

Quick Featured Images * <= 13.7.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/quick-featured...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 8, 2025
Vulnerability Reserved
Oct 20, 2025

Credit

Jonas Benjamin Friedli

JSON