Qi Blocks, developed by Qode Interactive, is one of the most comprehensive sets of Gutenberg blocks for WordPress, offering dozens of customizable components. Despite its acclaim for design and functionality, versions of the plugin prior to 1.4 are vulnerable to Stored Cross-Site Scripting (XSS), allowing users with Contributor privileges to inject malicious JavaScript code. This vulnerability poses a serious security threat, as the payload executes in both the admin panel and public pages.
| CVE | CVE-2025-1625 |
| Plugin | Qi Blocks < 1.4 |
| Critical | High |
| All Time | 533 058 |
| Active installations | 60 000+ |
| Publicly Published | April 29, 2025 |
| Last Updated | April 29, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1625 https://wpscan.com/vulnerability/288208c4-e9ca-4b79-88e7-fb415a726fce/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| February 8, 2025 | Plugin testing and vulnerability detection in the QI Blocks have been completed |
| February 8, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 29, 2025 | Registered CVE-2025-1625 |
Discovery of the Vulnerability
During a security audit of the Qi Blocks plugin, it was discovered that the Counter block does not properly sanitize user input in the Digit Label field. A user with Contributor privileges can insert malicious script encoded with HTML entities, which is then saved to the database and executed when the content is displayed, both in the admin area and on the front end. The issue has been confirmed in versions prior to and including 1.4.
Understanding of XSS attack’s
Stored XSS is a type of vulnerability where malicious scripts are stored on the server and executed when pages are loaded by other users. In the WordPress ecosystem, such attacks are especially dangerous because they often involve:
- custom fields,
- visual page builders (like Gutenberg, Elementor),
- widgets and plugin settings.
Examples include:
- A Contributor inserts a script into a block label field โ the script runs when an admin views the post.
- XSS in widgets can lead to page defacement or redirecting visitors to malicious sites.
Exploiting the XSS Vulnerability
Exploitation in Qi Blocks is straightforward and requires minimal privileges:
POC:
1. Log in with a Contributor account. 2. Navigate to the Posts section and create a new post. 3. Add a Counter block from Qi Blocks. 4. In the Digit Label field, insert the following HTML-encoded XSS payload: "><script></script><img src=x onerror=alert(777)> 5. Save or publish the post and open it in either the editor (/wp-admin/post.php) or on the frontend.____
Result: the injected script will execute automatically, leading to potential attacks like session hijacking, privilege escalation, or content manipulation.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2025-1625, site administrators should immediately update the Qi Blocks plugin to version 1.4 or later. This vulnerability affects the Counter block, where the Digit Label field allowed Contributor-level users to inject persistent JavaScript due to improper input sanitization. Developers must ensure that all user-provided data, especially in customizable block fields, is properly sanitized on input and securely encoded on output. Implementing a strict Content Security Policy (CSP) can further reduce the risk by blocking inline scripts and restricting the execution of untrusted code. Administrators are advised to limit Contributor permissions, preventing them from injecting HTML or JavaScript into sensitive areas, and to regularly audit user roles and content publishing capabilities. WordPress security functions such as sanitize_text_field(), esc_html(), esc_attr(), and wp_kses_post() should be consistently applied to all dynamic content. To prevent this type of attack in the future, the plugin vendor has applied our recommended methods of prevention, emphasizing strong input validation and safe output handling across all user-modifiable fields. To prevent this type of attack in the future, the vendor applied our recommended methods of prevention, focusing on strong input validation and secure output encoding. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1625, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.