CVE-2025-12180 — Missing Authorization in QI Blocks

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 90.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qodeinteractive QI Blocks

Timeline

PublishedNov 1

Description

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, ove…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5qodeinteractive/qi_blocks1.4.3

🔴Vulnerability Details

GHSA

GHSA-qjwx-pxp7-6ccp: The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1↗2025-11-01

▶

CVEList

Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update↗2025-11-01

▶