Qi Blocks < 1.4 – Contributor+ Stored XSS vi Countdown Block | CVE 2025-1626 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its Countdown block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

As a contributor, create a post, add a Countdown block and put the following payload in the Labels > "Second Singular Label" field and save: &amp;gt;&amp;lt;img src=x onerror=alert(/XSS/)&amp;gt;

The XSS will be triggered when the second value of the counter reached 00 when (pre)viewing the post where the block is embed.

Notes:
- If the countdown is not running, setting the time option manually should do.
- To trigger the payload on a published post, it needs to be set to <img src=x onerror=alert(777)>

Affects Plugins

Fixed in 1.4

References

CVE

URL

https://research.cleantalk.org/CVE-2025-1626/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

f00d86f1-7ff9-4001-af16-989358d811a8

Timeline

Publicly Published

2025-04-28 (about 7 months ago)

Added

2025-04-28 (about 7 months ago)

Last Updated

2025-04-28 (about 7 months ago)

Other

Published

Title

Published

2023-07-03

Title

All-in-one Floating Contact Form < 2.1.2 - Admin+ Stored Cross-Site Scripting

Published

2024-12-16

Title

Tourmaster < 5.3.4 - Unauthenticated Stored XSS via Room Booking

Published

2025-04-24

Title

WS Force Login Page < 3.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2022-06-08

Title

Copify <= 1.3.0 - Stored Cross-Site Scripting via CSRF

Published

2024-04-08

Title

Forminator < 1.29.3 - Contributor+ Stored Cross-Site Scripting via forminator_form Shortcode