CVE-2025-12180

Name of the Vulnerable Software and Affected Versions Qi Blocks plugin for WordPress versions up to and including 1.4.3

Description The Qi Blocks plugin for WordPress is susceptible to a missing authorization issue. The plugin stores arbitrary CSS styles submitted through the qi-blocks/v1/update-styles API endpoint without sufficient sanitization within the update global styles callback() function. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary CSS. This CSS injection can be leveraged to hide content, overlay deceptive UI elements, or potentially steal sensitive information.

Recommendations Update the Qi Blocks plugin to a version later than 1.4.3.