Does Quick Featured Images have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Quick Featured Images compatible with WordPress 7.0?

According to WordPress.org data, Quick Featured Images 13.7.5 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

Is Quick Featured Images compatible with PHP 5.2+?

Quick Featured Images requires PHP 5.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Quick Featured Images updated?

Quick Featured Images was last updated on Apr 15, 2026. Frequent updates are generally a positive security signal.

What is Quick Featured Images's security score?

Quick Featured Images has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Quick Featured Images Security & Risk Analysis

wordpress.org/plugins/quick-featured-images

The time-saving solution for managing tons of featured images within minutes: Set, replace and delete in bulk and set default images for future posts.

50K active installs v13.7.5 PHP 5.2+ WP 5.6+ Updated Apr 15, 2026

bulk-editfeatured-imagefeatured-imagesmedia-librarypost-thumbnails

A · Safe

CVEs total3

Unpatched0

Last CVENov 7, 2025

Plugin page Download

Safety Verdict

Is Quick Featured Images Safe to Use in 2026?

Generally Safe

Score 97/100

Quick Featured Images has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Nov 7, 2025Updated 1mo ago

Risk Assessment

The quick-featured-images plugin v13.7.4 exhibits a generally good security posture, with a notable lack of critical or high-severity code signals. The presence of nonces and capability checks on all identified entry points (AJAX handlers) is a positive indicator of secure development practices. Furthermore, the high percentage of SQL queries using prepared statements (93%) and the absence of dangerous functions or file operations suggest a solid foundation for preventing common web vulnerabilities. The taint analysis also shows no identified vulnerabilities with unsanitized paths, reinforcing the impression of robust input handling.

Despite these strengths, concerns arise from the vulnerability history. The plugin has had a total of 3 known CVEs, all categorized as medium severity. These historically included SQL injection, authorization bypass, and missing authorization vulnerabilities. While none are currently unpatched, this history indicates past weaknesses in how user input was handled and authorization was enforced. The last known vulnerability was relatively recent (2025-11-07), suggesting that even with ongoing development, new issues can emerge. The 55% proper output escaping, while not alarmingly low, still leaves room for potential cross-site scripting (XSS) vulnerabilities if not carefully managed in the remaining 45% of outputs.

In conclusion, quick-featured-images v13.7.4 is reasonably secure due to its architecture and adherence to common security best practices like prepared statements and entry point validation. However, its historical vulnerability record warrants cautious consideration, particularly concerning authorization and SQL injection. The moderate output escaping also presents a minor, albeit present, risk. Vigilance and prompt updates for any future vulnerabilities are advised.

Key Concerns

Medium severity CVEs in vulnerability history
Moderate output escaping (55% proper)

Vulnerabilities

3 published

Quick Featured Images Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-11980medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Quick Featured Images <= 13.7.3 - Authenticated (Editor+) SQL Injection via delete_orphaned

Nov 7, 2025 Patched in 13.7.4 (1d)

CVE-2025-11176medium · 4.3Authorization Bypass Through User-Controlled Key

Quick Featured Images <= 13.7.2 - Insecure Direct Object Reference to Image Manipulation

Oct 14, 2025 Patched in 13.7.3 (1d)

CVE-2024-3664medium · 4.3Missing Authorization

Quick Featured Images <= 13.7.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Thumbnail Deletion/Setting

Apr 22, 2024 Patched in 13.7.1 (1d)

Version History

Quick Featured Images Release Timeline

v13.7.5Current

v13.7.4

v13.7.31 CVE

CVE-2025-11980

v13.7.22 CVEs

CVE-2025-11176 CVE-2025-11980

v13.7.12 CVEs

CVE-2025-11176 CVE-2025-11980

v13.7.03 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.6.03 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.5.73 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.5.63 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.5.53 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.5.43 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.5.33 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.5.23 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.5.13 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.5.03 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.4.23 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.4.13 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.4.03 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.3.63 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

v13.3.53 CVEs

CVE-2025-11176 CVE-2025-11980 CVE-2024-3664

Code Analysis

Analyzed Mar 16, 2026

Quick Featured Images Code Analysis

Dangerous Functions

Raw SQL Queries

14 prepared

Unescaped Output

171

210 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

93% prepared15 total queries

Output Escaping

55% escaped381 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

5 flows

set_thumbnail (admin\class-Quick_Featured_Images_Columns.php:507)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Quick Featured Images Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_qfi_set_thumbnailadmin\class-Quick_Featured_Images_Columns.php:223

authwp_ajax_qfi_delete_thumbnailadmin\class-Quick_Featured_Images_Columns.php:225

WordPress Hooks 33

actioninitadmin\class-Quick_Featured_Images_Admin.php:108

actionwpmu_new_blogadmin\class-Quick_Featured_Images_Admin.php:111

actionadmin_menuadmin\class-Quick_Featured_Images_Admin.php:114

actionadmin_enqueue_scriptsadmin\class-Quick_Featured_Images_Admin.php:117

actionadmin_noticesadmin\class-Quick_Featured_Images_Admin.php:127

actionmanage_media_columnsadmin\class-Quick_Featured_Images_Columns.php:161

actionmanage_media_custom_columnadmin\class-Quick_Featured_Images_Columns.php:163

actionadmin_headadmin\class-Quick_Featured_Images_Columns.php:165

actionadmin_initadmin\class-Quick_Featured_Images_Columns.php:213

actionadmin_enqueue_scriptsadmin\class-Quick_Featured_Images_Columns.php:215

actionadmin_enqueue_scriptsadmin\class-Quick_Featured_Images_Columns.php:217

actionadmin_headadmin\class-Quick_Featured_Images_Columns.php:219

filterpre_get_postsadmin\class-Quick_Featured_Images_Columns.php:221

actionadmin_enqueue_scriptsadmin\class-Quick_Featured_Images_Comparison.php:125

actionadmin_menuadmin\class-Quick_Featured_Images_Comparison.php:128

actionadmin_enqueue_scriptsadmin\class-Quick_Featured_Images_Defaults.php:201

actionadmin_enqueue_scriptsadmin\class-Quick_Featured_Images_Defaults.php:202

actionadmin_menuadmin\class-Quick_Featured_Images_Defaults.php:205

actionsave_postadmin\class-Quick_Featured_Images_Defaults.php:208

actiondelete_attachmentadmin\class-Quick_Featured_Images_Defaults.php:211

actionadmin_enqueue_scriptsadmin\class-Quick_Featured_Images_Settings.php:157

actionadmin_menuadmin\class-Quick_Featured_Images_Settings.php:160

actionadmin_initadmin\class-Quick_Featured_Images_Settings.php:170

actionadmin_enqueue_scriptsadmin\class-Quick_Featured_Images_Tools.php:391

actionadmin_enqueue_scriptsadmin\class-Quick_Featured_Images_Tools.php:392

actionadmin_menuadmin\class-Quick_Featured_Images_Tools.php:395

filtermedia_row_actionsadmin\class-Quick_Featured_Images_Tools.php:398

actionplugins_loadedquick-featured-images.php:41

actionplugins_loadedquick-featured-images.php:58

actionplugins_loadedquick-featured-images.php:66

actionplugins_loadedquick-featured-images.php:73

actionplugins_loadedquick-featured-images.php:78

actionplugins_loadedquick-featured-images.php:83

Maintenance & Trust

Quick Featured Images Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedApr 15, 2026

PHP min version5.2

Downloads1.2M

Community Trust

Rating94/100

Number of ratings236

Active installs50K

Alternatives

Quick Featured Images Alternatives

Acme Fix Images – Regenerate Thumbnails

acme-fix-images

Fix image sizes after you have changed image sizes from Media Settings. Ensure your images display consistently across your website.

4K 1 CVE

WP Random Post Thumbnails

wp-random-post-thumbnails

100

Allows you to select images to be shown at random for posts without a featured image.

1K No CVEs

AOC Multiple Post Images

aoc-multiple-post-images

AOC Multiple Post Images allows a user to upload multiple featured images to a post.

10 No CVEs

Auto Featured Image (Auto Post Thumbnail)

auto-post-thumbnail

Automatically generate, assign, and manage featured images in bulk so every post on your site has a featured image.

50K 6 CVEs

Crop-Thumbnails

crop-thumbnails

100

"Crop Thumbnails" made it easy to get exacly that specific image-detail you want to show in your featured image or gallery image.

40K No CVEs

Developer Profile

Quick Featured Images Developer Profile

Kybernetik Services

10 plugins · 167K total installs

100

trust score

Avg Security Score

100/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Quick Featured Images

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/quick-featured-images/css/admin/css/admin.css/wp-content/plugins/quick-featured-images/css/admin/css/bootstrap.css/wp-content/plugins/quick-featured-images/css/admin/css/bootstrap-theme.css/wp-content/plugins/quick-featured-images/css/admin/css/jquery-ui.css/wp-content/plugins/quick-featured-images/css/admin/css/select2.min.css/wp-content/plugins/quick-featured-images/css/admin/css/wp-jquery-ui-dialog.css/wp-content/plugins/quick-featured-images/css/admin/css/quick-featured-images.css/wp-content/plugins/quick-featured-images/css/admin/css/quick-featured-images-default.css+14 more

Script Paths

/wp-content/plugins/quick-featured-images/js/admin/js/qfi-admin.js/wp-content/plugins/quick-featured-images/js/admin/js/bootstrap.js/wp-content/plugins/quick-featured-images/js/admin/js/jquery-ui.js/wp-content/plugins/quick-featured-images/js/admin/js/jquery-ui-dialog.js/wp-content/plugins/quick-featured-images/js/admin/js/jquery-ui-tabs.js/wp-content/plugins/quick-featured-images/js/admin/js/jquery-ui-datepicker.js+8 more

Version Parameters

quick-featured-images/css/admin/css/admin.css?ver=quick-featured-images/css/admin/css/bootstrap.css?ver=quick-featured-images/css/admin/css/bootstrap-theme.css?ver=quick-featured-images/css/admin/css/jquery-ui.css?ver=quick-featured-images/css/admin/css/select2.min.css?ver=quick-featured-images/css/admin/css/wp-jquery-ui-dialog.css?ver=quick-featured-images/css/admin/css/quick-featured-images.css?ver=quick-featured-images/css/admin/css/quick-featured-images-default.css?ver=quick-featured-images/js/admin/js/qfi-admin.js?ver=quick-featured-images/js/admin/js/bootstrap.js?ver=quick-featured-images/js/admin/js/jquery-ui.js?ver=quick-featured-images/js/admin/js/jquery-ui-dialog.js?ver=quick-featured-images/js/admin/js/jquery-ui-tabs.js?ver=quick-featured-images/js/admin/js/jquery-ui-datepicker.js?ver=quick-featured-images/js/admin/js/select2.full.min.js?ver=quick-featured-images/js/admin/js/quick-featured-images.js?ver=quick-featured-images/js/admin/js/quick-featured-images-admin.js?ver=quick-featured-images/js/admin/js/quick-featured-images-tools.js?ver=quick-featured-images/js/admin/js/quick-featured-images-settings.js?ver=quick-featured-images/js/admin/js/quick-featured-images-columns.js?ver=quick-featured-images/js/admin/js/quick-featured-images-defaults.js?ver=quick-featured-images/js/admin/js/quick-featured-images-comparison.js?ver=

HTML / DOM Fingerprints

CSS Classes

qfi-flex-rowqfi-quick-set-featured-imageqfi-post-list-actionsqfi-bulk-actionsqfi-bulk-actionqfi-bulk-action-selectqfi-bulk-action-deleteqfi-bulk-action-replace+71 more

HTML Comments

+77 more

Data Attributes

data-qfi-bulk-action-typedata-qfi-image-iddata-qfi-post-iddata-qfi-actiondata-qfi-setting-namedata-qfi-setting-value+1 more

JS Globals

quick_featured_images_adminqfi_admin_paramsquick_featured_images_toolsqfi_tools_paramsquick_featured_images_settingsqfi_settings_params+6 more

FAQ

Quick Featured Images Security & Risk Analysis

Is Quick Featured Images Safe to Use in 2026?

Generally Safe

Key Concerns

Quick Featured Images Security Vulnerabilities

CVEs by Year

Severity Breakdown

Quick Featured Images Release Timeline

Quick Featured Images Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

Quick Featured Images Attack Surface

AJAX Handlers 2

Quick Featured Images Maintenance & Trust

Maintenance Signals

Community Trust

Quick Featured Images Alternatives

Acme Fix Images – Regenerate Thumbnails

WP Random Post Thumbnails

AOC Multiple Post Images

Auto Featured Image (Auto Post Thumbnail)

Crop-Thumbnails

Quick Featured Images Developer Profile

How We Detect Quick Featured Images

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Quick Featured Images