Author: Artyom Krugov

Vulnerability was discovered in the widely-used WordPress plugin Post Slider and Carousel with Widget, which allows site owners to display posts in sliders or carousels. This plugin is favored for its ease of use and flexibility, especially for non-technical users.

The vulnerability, now identified as CVE-2025-4567, affects plugin versions below 3.2.10 and allows an authenticated user (with access to widget settings) to inject stored JavaScript code into a field that is later rendered on the front-end — leading to persistent Cross-Site Scripting (XSS) and the potential creation of a JavaScript backdoor.

The Real Cookie Banner plugin is a powerful consent management tool for WordPress, widely used to help website administrators comply with the GDPR and ePrivacy directives. With features like customizable cookie banners, content blockers, and consent documentation, the plugin plays a key role in user privacy and legal compliance. However, in version below 5.1.6, a Stored Cross-Site Scripting (XSS) vulnerability was discovered that can be exploited by authenticated users with access to the plugin’s customization features.

This article explores the vulnerability in detail, demonstrates how it can be exploited, and outlines practical recommendations for mitigating similar security risks in WordPress environments.

Blog2Social is a widely used WordPress plugin that enables automatic posting, cross-promoting, and scheduling of content across a variety of social networks. It’s particularly popular among content creators and marketing teams for its extensive integrations and automation features. However, in versions prior to 8.4.0, a critical Stored Cross-Site Scripting (XSS) vulnerability was discovered. This flaw allows users with the Contributor role to inject malicious scripts that get executed within the WordPress Dashboard, posing a significant security threat.

In April 2025, a stored Cross-Site Scripting (XSS) vulnerability was identified in the popular Qi Blocks WordPress plugin, specifically affecting versions below 1.4. This vulnerability, now tracked as CVE-2025-1627, allows a user with Contributor permissions to inject malicious scripts into the site using the Table of Contents (ToC) block. Once a malicious payload is stored, it gets executed every time a visitor loads the affected page — putting both site administrators and end users at risk.

Qi Blocks, developed by Qode Interactive, is one of the most comprehensive sets of Gutenberg blocks for WordPress, offering dozens of customizable components. Despite its acclaim for design and functionality, versions of the plugin prior to 1.4 are vulnerable to Stored Cross-Site Scripting (XSS), allowing users with Contributor privileges to inject malicious JavaScript code. This vulnerability poses a serious security threat, as the payload executes in both the admin panel and public pages.

WordPress plugins expand the functionality of websites but can sometimes introduce security vulnerabilities if user inputs are not properly validated and sanitized. CVE-2025-1626 highlights a critical Stored Cross-Site Scripting (XSS) vulnerability discovered in the popular Qi Blocks plugin (versions prior to 1.4), which could be exploited by users with Contributor privileges. This flaw poses a serious risk to the security of WordPress sites using the plugin, as it could lead to session hijacking, privilege escalation, or complete site compromise.