Qi Blocks WordPress Plugin Missing Authorization Vulnerability in REST API Endpoint

A vulnerability exists in the Qi Blocks plugin for WordPress, affecting all versions up to and including 1.4.3. The issue stems from the plugin's REST API endpoint 'qi-blocks/v1/update-styles', which allows authenticated users with Contributor-level access and above to submit arbitrary CSS styles. These styles are stored without proper sanitization, enabling potential manipulation of content visibility, user interface elements, or exfiltration of sensitive information through CSS injection techniques.

Impact

Exploitation of this vulnerability could lead to unauthorized injection of CSS, allowing attackers to manipulate the appearance of the site or exfiltrate information using CSS-based methods.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the 'qi-blocks/v1/update-styles' REST API endpoint. The request must include unvalidated CSS styles, which will be applied globally without proper sanitization. This can be done by using a tool like Postman or through custom JavaScript that interacts with the WordPress REST API.

Remediation

Users are advised to update the Qi Blocks WordPress plugin to version 1.4.4 or later.