CVE-2026-10096
Received Received - Intake

Qi Blocks Plugin WordPress IDOR Vulnerability

Vulnerability report for CVE-2026-10096, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own β€” including site-wide surfaces via the reserved 'template' and 'widget' page_id values β€” enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
qi_blocks qi_blocks to 1.4.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Qi Blocks plugin for WordPress has an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 1.4.9. This vulnerability arises because the 'page_id' parameter, which is user-controlled, lacks proper validation.

As a result, authenticated users with author-level access or higher can modify the stored Qi Blocks styles of posts, templates, or widgets they do not own. This includes site-wide elements through special 'template' and 'widget' page_id values.

The permission check only verifies generic capabilities like edit_posts and publish_posts, which authors have, regardless of ownership, enabling unauthorized changes.

Impact Analysis

This vulnerability allows attackers with author-level access to perform unauthorized modifications to the frontend appearance of the website.

  • Unauthorized frontend defacement
  • Hiding of content
  • Degradation of any page on the site
Compliance Impact

The vulnerability allows authenticated users with author-level access to modify styles of arbitrary posts, templates, or widgets they do not own, potentially leading to unauthorized frontend defacement and content manipulation.

However, there is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10096. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart