CVE-2025-12182

CWE-284Improper Access Control3 documents3 sources
Severity
4.3MEDIUM
EPSS
0.0%
top 91.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Qodeinteractive QI Blocks
Timeline
PublishedNov 15

Description

The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file wr

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5qodeinteractive/qi_blocks1.4.3

🔴Vulnerability Details

2
CVEList
Qi Blocks <= 1.4.3 - Missing Authorization to Arbitrary Attachment Resize2025-11-15
GHSA
GHSA-hhj5-vff4-phcr: The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in2025-11-15
CVE-2025-12182 (MEDIUM CVSS 4.3) | The Qi Blocks plugin for WordPress | cvebase.io