Description
The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images.
Published: 2025-11-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized image resizing leading to resource abuse
Action: Update Plugin
AI Analysis

Impact

The Qi Blocks plugin for WordPress contains a missing capability check on the resize_image_callback function. This flaw allows an authenticated attacker with Contributor level or higher to target any media library attachment and request that it be resized. The server then creates a new image file and processes the image, which can result in unintended file writes and consume significant disk space or CPU resources, potentially leading to a denial‑of‑service condition.

Affected Systems

All WordPress sites that have the Qi Blocks plugin from Qode Interactive installed and running version 1.4.3 or earlier are affected. The vulnerability is present in every deployment of those versions and can be exploited by any user account that holds Contributor or higher privileges.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers need only valid credentials with Contributor or higher level to trigger the resize operation, after which no further checks are performed. While the likelihood is low, the potential for resource exhaustion warrants timely remediation.

Generated by OpenCVE AI on April 22, 2026 at 11:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Qi Blocks to a patched version (1.5.x or newer) that restores the missing capability check.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin’s image resizing functionality until a fix is applied.
  • Review WordPress user roles and limit the number of accounts with Contributor or higher privileges, and consider enforcing media library access controls.

Generated by OpenCVE AI on April 22, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 17 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive qi Blocks
Wordpress
Wordpress wordpress
Vendors & Products Qodeinteractive
Qodeinteractive qi Blocks
Wordpress
Wordpress wordpress

Sat, 15 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images.
Title Qi Blocks <= 1.4.3 - Missing Authorization to Arbitrary Attachment Resize
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Qodeinteractive Qi Blocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:45.900Z

Reserved: 2025-10-24T19:16:49.591Z

Link: CVE-2025-12182

cve-icon Vulnrichment

Updated: 2025-11-17T18:41:46.347Z

cve-icon NVD

Status : Deferred

Published: 2025-11-15T04:15:55.570

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses