Security

In April 2025, a stored Cross-Site Scripting (XSS) vulnerability was identified in the popular Qi Blocks WordPress plugin, specifically affecting versions below 1.4. This vulnerability, now tracked as CVE-2025-1627, allows a user with Contributor permissions to inject malicious scripts into the site using the Table of Contents (ToC) block. Once a malicious payload is stored, it gets executed every time a visitor loads the affected page — putting both site administrators and end users at risk.

Qi Blocks, developed by Qode Interactive, is one of the most comprehensive sets of Gutenberg blocks for WordPress, offering dozens of customizable components. Despite its acclaim for design and functionality, versions of the plugin prior to 1.4 are vulnerable to Stored Cross-Site Scripting (XSS), allowing users with Contributor privileges to inject malicious JavaScript code. This vulnerability poses a serious security threat, as the payload executes in both the admin panel and public pages.

WordPress plugins expand the functionality of websites but can sometimes introduce security vulnerabilities if user inputs are not properly validated and sanitized. CVE-2025-1626 highlights a critical Stored Cross-Site Scripting (XSS) vulnerability discovered in the popular Qi Blocks plugin (versions prior to 1.4), which could be exploited by users with Contributor privileges. This flaw poses a serious risk to the security of WordPress sites using the plugin, as it could lead to session hijacking, privilege escalation, or complete site compromise.

Icegram Engage is a popular WordPress plugin designed to create popups, opt-in forms, and other interactive elements to engage visitors. With over 30,000 active installations, it is widely used to enhance user experience on WordPress sites. However, a critical vulnerability (CVE-2024-13486) has been identified within the plugin that allows an attacker to execute stored Cross-Site Scripting (XSS) attacks. This vulnerability can be exploited by attackers to inject malicious JavaScript code, potentially leading to backdoor creation and unauthorized account takeover.

The Contact Form & SMTP Plugin for WordPress by PirateForms is widely used to add customizable contact forms and SMTP email configurations to WordPress sites. With over 50,000 active installations, the plugin provides a convenient solution for website owners to manage user interactions. However, a critical vulnerability (CVE-2024-11272) has been discovered in the plugin that exposes WordPress sites to a serious security risk. The vulnerability allows attackers to inject malicious JavaScript into the plugin’s settings via the “Submit button” field. This can lead to account takeover, backdoor creation, and a wide range of other security risks.

The Contact Form & SMTP Plugin for WordPress by PirateForms is widely used to implement contact forms and handle email submissions through SMTP. With over 50,000 active installations, this plugin offers a simple and efficient way to manage user inquiries. However, a critical vulnerability—CVE-2024-11273—has been discovered in the plugin, which allows for Stored Cross-Site Scripting (XSS) attacks. This flaw enables attackers to inject malicious JavaScript code into the plugin’s settings, leading to the creation of backdoors and allowing attackers to take over admin accounts.