Qi Blocks < 1.4.4 – Missing Authorization to Authenticated (Contributor+) Plugin Settings Update | CVE 2025-12180 | Plugin Vulnerabilities

Description

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques.

Affects Plugins

Fixed in 1.4.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/42e63318-661e-465d-919f-df0635ea1a6d

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Adrian Lukita

Verified

No

WPVDB ID

cdb355b6-2cd0-48e3-80b8-110ed3d40418

Timeline

Publicly Published

2025-10-31 (about 6 months ago)

Added

2025-10-31 (about 6 months ago)

Last Updated

2025-11-01 (about 6 months ago)

Other

Published

Title

Published

2026-01-25

Title

SiteLock Security < 5.0.3 - Missing Authorization

Published

2026-01-05

Title

Traveler < 3.2.7 - Missing Authorization

Published

2025-11-21

Title

TI WooCommerce Wishlist < 2.11.0 - Missing Authorization

Published

2026-02-18

Title

Elegant Pink < 1.3.4 - Missing Authorization

Published

2025-05-19

Title

The Events Calendar < 6.12.0 - Subscriber+ Import Creation