← Back
2025-11-01 5:40CVE-2025-12180Wordfence
PUBLISHED5.2CWE-862

Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques.

Problem type

Affected products

qodeinteractive

Qi Blocks

<= 1.4.3 - AFFECTED

References

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/42e63318-661e-465d-919f-df0635ea1a6d?source=cve

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L145

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php

GitHub Security Advisories

GHSA-qjwx-pxp7-6ccp

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to,...

https://github.com/advisories/GHSA-qjwx-pxp7-6ccp

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the qi-blocks/v1/update-styles REST API endpoint without proper sanitization in the update_global_styles_callback() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-12180

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L145

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/42e63318-661e-465d-919f-df0635ea1a6d?source=cve

github.com

https://github.com/advisories/GHSA-qjwx-pxp7-6ccp

JSON source

Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-12180",
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "dateUpdated": "2025-11-01T05:40:21.834Z",
    "dateReserved": "2025-10-24T18:56:36.046Z",
    "datePublished": "2025-11-01T05:40:21.834Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence",
        "dateUpdated": "2025-11-01T05:40:21.834Z"
      },
      "title": "Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques."
        }
      ],
      "affected": [
        {
          "vendor": "qodeinteractive",
          "product": "Qi Blocks",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "*",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "1.4.3"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-862 Missing Authorization",
              "cweId": "CWE-862",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42e63318-661e-465d-919f-df0635ea1a6d?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L145"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-10-24T19:14:25.000+00:00",
          "lang": "en",
          "value": "Vendor Notified"
        },
        {
          "time": "2025-10-31T16:53:06.000+00:00",
          "lang": "en",
          "value": "Disclosed"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Adrian Lukita",
          "type": "finder"
        }
      ]
    }
  }
}

Mitre source

https://cveawg.mitre.org/api/cve/CVE-2025-12180