CVE Catalog

CVE-2026-10096

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) in versions up to and including 1.4.9. Missing validation on the 'page_id' parameter allows authenticated attackers with author-level access or higher to modify Qi Blocks styles of arbitrary posts, templates, or widgets they do not own, including site-wide surfaces via reserved 'template' and 'widget' values.

Risk Assessment

The risk includes unauthorized frontend defacement, content hiding, and degradation of any page on the site, potentially leading to loss of user trust and brand damage.

Recommendation

Immediately update the Qi Blocks plugin to the latest patched version and review user permissions, especially for users with the Author role.

Original NVD description (English source)

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own — including site-wide surfaces via the reserved 'template' and 'widget' page_id values — enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS