Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-reachable REST endpoint requires only Author-level credentials (PR:L); no confidentiality or availability impact; integrity limited to style data modification.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own - including site-wide surfaces via the reserved 'template' and 'widget' page_id values - enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.
AnalysisAI
Insecure Direct Object Reference in the Qi Blocks WordPress plugin (all versions ≤ 1.4.9) allows any authenticated user with Author-level access to overwrite the stored global styles of arbitrary posts, templates, or widgets they do not own by manipulating the unvalidated 'page_id' parameter. Critically, the reserved 'template' and 'widget' page_id values expose site-wide surfaces, enabling an Author to deface, hide content on, or visually degrade any page across the entire WordPress installation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account with at minimum the built-in Author role, which grants the edit_posts and publish_posts capabilities checked by the endpoint's permission_callback. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately reflects the mechanical severity: network-reachable, low complexity, requires low-privilege authentication, no user interaction needed, and limited to integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered or compromised an Author-level account on a target WordPress site crafts a POST request to the Qi Blocks global styles endpoint, substituting the 'page_id' value with the reserved string 'template' instead of one of their own post IDs. The server's permission_callback passes because the attacker holds edit_posts and publish_posts capabilities, and no ownership check is performed. … |
| Remediation | Upstream fix available (Trac changeset 3572812 at plugins.trac.wordpress.org); a released patched version number beyond 1.4.9 is not independently confirmed from the available data - monitor the WordPress plugin repository for an update and apply it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its block options before outputting them
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Counter block options before outputti
The Qi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all ve
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Countdown block options before output
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40936
GHSA-69gg-pvp7-2fx5