Vulnerabilities and security researches forqubely qubely

Mar 11, 2025

CVE, Research URL: CVE-2024-13228
Home page URL: Security reports for Qubely – Advanced Gutenberg Blocks
Application: Qubely – Advanced Gutenberg Blocks
Date: Mar 11, 2025
Research Description: The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data.
Affected versions: Min -, max -.
Status: vulnerable

Feb 19, 2025

CVE, Research URL: CVE-2024-9601
Home page URL: Security reports for Qubely – Advanced Gutenberg Blocks
Application: Qubely – Advanced Gutenberg Blocks
Date: Feb 14, 2025
Research Description: The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Feb 18, 2025

CVE, Research URL: CVE-2025-26767
Home page URL: Security reports for Qubely – Advanced Gutenberg Blocks
Application: Qubely – Advanced Gutenberg Blocks
Date: Feb 17, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely – Advanced Gutenberg Blocks allows Stored XSS. This issue affects Qubely – Advanced Gutenberg Blocks: from n/a through 1.8.12.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2021-24916
Home page URL: Security reports for Qubely – Advanced Gutenberg Blocks
Application: Qubely – Advanced Gutenberg Blocks
Date: Aug 07, 2023
Research Description: The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-25013
Home page URL: Security reports for Qubely – Advanced Gutenberg Blocks
Application: Qubely – Advanced Gutenberg Blocks
Date: Jan 24, 2022
Research Description: The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-0376
Home page URL: Security reports for Qubely – Advanced Gutenberg Blocks
Application: Qubely – Advanced Gutenberg Blocks
Date: Jan 16, 2024
Research Description: The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Affected versions: Min -, max -.
Status: vulnerable