CVE-2025-1627 Qi Blocks < 1.4 - Contributor+ Stored XSS via ToC Block

The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2025-1626 Qi Blocks < 1.4 - Contributor+ Stored XSS vi Countdown Block

The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Countdown block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2025-1625 Qi Blocks < 1.4 - Contributor+ Stored XSS via Counter Block

The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Counter block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2025-1625 Qi Blocks < 1.4 - Contributor+ Stored XSS via Counter Block

The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Counter block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

WordPress plugin Qi Blocks 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on servers running PHP and MySQL. A security vulnerability exists in the...

WordPress plugin Qi Blocks 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...

PT-2025-21885 · WordPress · Qi Blocks

Name of the Vulnerable Software and Affected Versions: Qi Blocks WordPress plugin versions prior to 1.4 Description: The issue concerns the Qi Blocks WordPress plugin, which does not properly validate and escape some of its block options before outputting them in a page or post. This could allow...

WordPress SKT Blocks – Gutenberg based Page Builder plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by zaim in WordPress Plugin SKT Blocks versions = 2.0...

CVE-2025-3616

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspbmakeproxyapirequest function in versions 11.4 to 11.4.5. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2025-32625

CVE-2025-32625 describes a reflected XSS vulnerability in WordPress Mobile Blocks (Mobile Pages) plugin/product “Mobile Blocks,” affecting versions from n/a up to 1.0.2. The connected Wordfence entry confirms the vulnerability class as Reflected Cross‑Site Scripting and lists the affected softwar...

CVE-2025-3276

The SKT Blocks – Gutenberg based Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Carousel block in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

WordPress SKT Blocks – Gutenberg based Page Builder plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zaim Patchstack Alliance in WordPress Plugin SKT Blocks versions = 1.8...

WordPress C9 Blocks plugin <= 1.7.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Gab Patchstack Alliance in WordPress Plugin C9 Blocks versions = 1.7.7...

CVE-2025-2568 Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 1.0.4 - 1.2.1 - Missing Authorization to Unauthenticated Limited Arbitrary Options Update

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayublocksgettoggleswitchvaluescallback' and 'vayublockssavetoggleswitchcallback' function in versions 1.0.4 t...

CVE-2025-32173

CVE-2025-32173 affects B Blocks – The ultimate block collection (WordPress) up to version 2.0.0, with a Stored XSS due to improper input neutralization during web page generation. The connected Wordfence listing confirms the issue and notes the vulnerability is patched; no exploit details are pro...

CVE-2025-1312

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttonTextColor’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-1312 Ultimate Blocks – WordPress Blocks Plugin <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttonTextColor’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-1312 Ultimate Blocks – WordPress Blocks Plugin <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttonTextColor’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-1312

CVE-2025-1312 (Ultimate Blocks) : A stored cross-site scripting vulnerability exists in the Ultimate Blocks – WordPress Blocks Plugin, reachable by an attacker with Contributor+ privileges via the buttonTextColor parameter. Connected sources confirm this is an authenticated Stored XSS and affect ...

CVE-2025-1703 Ultimate Blocks <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter

The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acce...