Skip to main content

Static Block CVE-2026-10780

| EUVDEUVD-2026-37034 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-16 Wordfence GHSA-3hxp-mvw5-v9p7
4.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

PR:L reflects mandatory contributor authentication; C:L is appropriate since only post_content is exposed, not credentials or system data.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 06:24 vuln.today
CVE Published
Jun 16, 2026 - 04:30 nvd
MEDIUM 4.3

DescriptionNVD

The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied 'id' attribute and outputting its post_content without verifying the post's status (private, draft, pending) or the requesting user's capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id="X"] shortcode in their own content and previewing it.

AnalysisAI

Insecure Direct Object Reference in the Static Block WordPress plugin (versions ≤2.2) allows contributor-level authenticated users to read the full post_content of any post - including private, draft, and pending posts created by administrators - by embedding the [static_block_content id="X"] shortcode and triggering a preview. The shortcode handler in static-block.php calls get_post() with an attacker-supplied numeric ID and outputs the result without any post-status or capability verification. No public exploit code has been identified at time of analysis and this is not listed in CISA KEV, but the attack is low-complexity and requires only a standard contributor WordPress account.

Technical ContextAI

The vulnerability originates in the static_block_content() shortcode handler within static-block.php (lines 244, 268, 270 per the trac.wordpress.org source references). WordPress's get_post() function retrieves any post object by numeric ID regardless of its publication status - it is a raw database fetch with no built-in authorization enforcement. Correct implementation requires either checking the post's post_status against the requesting user's capabilities (e.g., current_user_can('read_private_posts')) or using a query that constrains post_status to 'publish'. By omitting these checks and directly printing post_content, the handler creates a CWE-639 (Authorization Bypass Through User-Controlled Key) condition: the user-supplied 'id' attribute acts as the object key and no authorization gate stands between it and the output. The CPE string cpe:2.3:a:mohammadtanzilurrahman:static_block:*:*:*:*:*:*:*:* confirms the affected plugin is the Static Block plugin by vendor mohammadtanzilurrahman, distributed through the WordPress plugin directory.

RemediationAI

The primary remediation is to update the Static Block plugin to a version beyond 2.2 once a patched release is confirmed; no exact fixed version number is available in the current data, so administrators should monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/f88c00ca-cf9e-44e7-9495-686ace1ead21?source=cve for patch confirmation. As an immediate compensating control, administrators should audit and restrict contributor-level role assignments, removing or demoting any untrusted users, since the attack is entirely gated on holding at least a contributor account. If the plugin is not actively required, deactivating it eliminates the attack surface entirely with the trade-off of disabling all shortcode-rendered static block content site-wide. Role management plugins can additionally be used to strip shortcode execution or post preview capabilities from contributors, though this may conflict with normal WordPress editorial workflows. Content sensitivity of private and draft posts should be assessed - sites storing credentials, internal communications, or sensitive operational data in draft post_content fields should treat this as higher priority.

Share

CVE-2026-10780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy