CVE-2024-5221
📋 TL;DR
The Qi Blocks WordPress plugin has a stored cross-site scripting vulnerability in its file uploader that allows authenticated attackers with Author-level access or higher to inject malicious scripts. These scripts execute when users visit compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Qi Blocks version 1.2.9 or earlier are affected.
💻 Affected Systems
- Qi Blocks WordPress Plugin
📦 What is this software?
Qi Blocks by Qodeinteractive
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with Author access inject malicious scripts to steal user session cookies or credentials, potentially escalating privileges to gain administrative control over the WordPress site.
If Mitigated
With proper input validation and output escaping, malicious scripts are neutralized before execution, preventing any successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access (Author role or higher). The vulnerability is in the file uploader functionality with insufficient input sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.0 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Qi Blocks plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.3.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Qi Blocks Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate qi-blocks
Restrict User Roles
linuxTemporarily remove Author and higher privileges from untrusted users
wp user list --role=author --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in file upload requests
- Enable Content Security Policy (CSP) headers to restrict script execution sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Qi Blocks version. If version is 1.2.9 or lower, you are vulnerable.Check Version:
wp plugin get qi-blocks --field=versionVerify Fix Applied:
After updating, verify Qi Blocks plugin shows version 1.3.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads via Qi Blocks endpoints
- POST requests to /wp-admin/admin-ajax.php with suspicious parameters
- JavaScript payloads in file upload requests
Network Indicators:
- Unusual traffic patterns to Qi Blocks plugin endpoints
- Multiple file upload attempts with script-like content
SIEM Query:
source="wordpress.log" AND "qi-blocks" AND ("upload" OR "admin-ajax") AND ("script" OR "javascript" OR "onload" OR "onerror")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3097241%40qi-blocks%2Ftrunk&old=3094374%40qi-blocks%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bdf00861-e31e-485c-a562-12dba56af1c7?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3097241%40qi-blocks%2Ftrunk&old=3094374%40qi-blocks%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bdf00861-e31e-485c-a562-12dba56af1c7?source=cve
