Skip to main content

Qi Blocks CVE-2026-10096

| EUVDEUVD-2026-40936 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-01 Wordfence GHSA-69gg-pvp7-2fx5
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable REST endpoint requires only Author-level credentials (PR:L); no confidentiality or availability impact; integrity limited to style data modification.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 08:34 vuln.today
CVE Published
Jul 01, 2026 - 07:53 nvd
MEDIUM 4.3

DescriptionCVE.org

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own - including site-wide surfaces via the reserved 'template' and 'widget' page_id values - enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.

AnalysisAI

Insecure Direct Object Reference in the Qi Blocks WordPress plugin (all versions ≤ 1.4.9) allows any authenticated user with Author-level access to overwrite the stored global styles of arbitrary posts, templates, or widgets they do not own by manipulating the unvalidated 'page_id' parameter. Critically, the reserved 'template' and 'widget' page_id values expose site-wide surfaces, enabling an Author to deface, hide content on, or visually degrade any page across the entire WordPress installation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise Author-level WordPress account
Delivery
Enumerate post/template page_id values via site crawl
Exploit
Craft POST to Qi Blocks global styles endpoint with arbitrary page_id
Execution
Bypass ownership validation (permission_callback checks only edit_posts/publish_posts)
Persist
Overwrite stored block styles for target post or site-wide template/widget surface
Impact
Frontend defacement propagates to all site visitors

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account with at minimum the built-in Author role, which grants the edit_posts and publish_posts capabilities checked by the endpoint's permission_callback. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately reflects the mechanical severity: network-reachable, low complexity, requires low-privilege authentication, no user interaction needed, and limited to integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or compromised an Author-level account on a target WordPress site crafts a POST request to the Qi Blocks global styles endpoint, substituting the 'page_id' value with the reserved string 'template' instead of one of their own post IDs. The server's permission_callback passes because the attacker holds edit_posts and publish_posts capabilities, and no ownership check is performed. …
Remediation Upstream fix available (Trac changeset 3572812 at plugins.trac.wordpress.org); a released patched version number beyond 1.4.9 is not independently confirmed from the available data - monitor the WordPress plugin repository for an update and apply it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy