{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12180", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T18:56:36.046Z", "datePublished": "2025-11-01T05:40:21.834Z", "dateUpdated": "2026-04-08T16:49:00.673Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:00.673Z"}, "affected": [{"vendor": "qodeinteractive", "product": "Qi Blocks", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques."}], "title": "Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42e63318-661e-465d-919f-df0635ea1a6d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L145"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Adrian Lukita"}], "timeline": [{"time": "2025-10-24T19:14:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-31T16:53:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-03T13:10:48.929761Z", "id": "CVE-2025-12180", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:31:27.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12180", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-03T13:10:48.929761Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:10:49.716Z"}}], "cna": {"title": "Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Adrian Lukita"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "qodeinteractive", "product": "Qi Blocks", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-24T19:14:25.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-31T16:53:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42e63318-661e-465d-919f-df0635ea1a6d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L145"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php"}], "descriptions": [{"lang": "en", "value": "The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:00.673Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12180", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:00.673Z", "dateReserved": "2025-10-24T18:56:36.046Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-01T05:40:21.834Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques."}], "id": "CVE-2025-12180", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-01T06:15:40.517", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L145"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42e63318-661e-465d-919f-df0635ea1a6d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:34:35.072950+00:00", "value": {"mitigation_remediation": ["Upgrade the Qi Blocks plugin to version 1.4.4 or later, where the REST endpoint includes proper authorization checks.", "If an immediate upgrade is unavailable, restrict Contributor and other non-admin roles from accessing REST endpoints, or disable the update-styles endpoint via custom code or a security plugin.", "Implement a custom plugin or snippet to sanitize or reject CSS submissions from non-superadmin users, ensuring only administrators can modify global styles."], "summary": {"action": "Immediate Patch", "impact": "Authenticated CSS injection via the Qi Blocks REST API allowing content manipulation and potential data exfiltration"}, "threat_synthesis": {"affected_systems": "The Qi Blocks plugin by qodeinteractive, versions up to and including 1.4.3, is affected. WordPress sites that have installed this plugin and have Contributor or higher roles are susceptible.", "description_and_impact": "The vulnerability in the Qi Blocks WordPress plugin arises from a missing authorization check on the update-styles REST endpoint. Users with Contributor-level access can submit arbitrary CSS, which the plugin stores without sanitization. The injected CSS can hide or replace page elements, create deceptive UI overlays, or extract user data through CSS-based exfiltration techniques, thereby compromising the integrity and appearance of the site.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low severity vulnerability, and the EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. Because the flaw requires authenticated access, exploitation depends on the existence of Contributor or higher accounts. The vulnerability is not listed in CISA\u2019s KEV catalog, but the potential for UI deception and data leakage warrants prompt remediation."}}}}, "created": "2025-11-03T10:43:39.748341+00:00", "updated": "2026-04-22T12:45:17.021679+00:00", "vendors": ["qodeinteractive", "qodeinteractive$PRODUCT$qi_blocks", "wordpress", "wordpress$PRODUCT$wordpress"]}