WordPress plugins expand the functionality of websites but can sometimes introduce security vulnerabilities if user inputs are not properly validated and sanitized. CVE-2025-1626 highlights a critical Stored Cross-Site Scripting (XSS) vulnerability discovered in the popular Qi Blocks plugin (versions prior to 1.4), which could be exploited by users with Contributor privileges. This flaw poses a serious risk to the security of WordPress sites using the plugin, as it could lead to session hijacking, privilege escalation, or complete site compromise.
CVE-2025-1626- Qi Blocks < 1.4 – Contributor+ Stored XSS via Countdown Block – POC
