CVE-2025-1626: 
WordPress vulnerability analysis and mitigation

The Qi Blocks WordPress plugin before version 1.4 contains a stored Cross-Site Scripting (XSS) vulnerability discovered on April 28, 2025. The vulnerability affects the Countdown block functionality within the plugin, specifically related to insufficient validation and escaping of certain block options before they are output back in pages or posts where the block is embedded (WPScan).

The vulnerability exists in the Countdown block's option handling mechanism, particularly in the 'Second Singular Label' field. The plugin fails to properly validate and escape input fields before rendering them in the frontend. This security weakness has been assigned a CVSS score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Wiz).

When exploited, this vulnerability enables authenticated users with contributor privileges or higher to perform stored Cross-Site Scripting attacks. The malicious scripts are executed in the context of other users' browsers when they view pages containing the compromised Countdown block, potentially leading to session hijacking, credential theft, or other client-side attacks (Wiz).

The vulnerability has been patched in Qi Blocks version 1.4. Site administrators are strongly advised to update to this version or later to protect against potential XSS attacks. If immediate updating is not possible, administrators should consider restricting access to the Countdown block functionality to trusted users only (Wiz).