What the vulnerability does
01Description
The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images.
Explanation of Vulnerability in Simple Terms
02Summary
Qi Blocks versions 1.4.3 and earlier contain an access control flaw that allows authenticated users to modify data they should not have permission to change. The vulnerability requires a valid user account but no special privileges. An attacker with low-level access can alter content or settings, potentially affecting site integrity.
What an attacker can do
03Attacker Capabilities
Modify data or settings they should not have access to.
Potential impact on your site
04Site Impact
Unauthorized changes to site content or configuration by authenticated users.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges.
Key dates
06Disclosure timeline
November 15, 2025
CVE published
April 8, 2026
Record updated