CVE-2026-10096 PUBLISHED

Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter

Assigner: Wordfence
Reserved: 29.05.2026 Published: 01.07.2026 Updated: 01.07.2026

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own — including site-wide surfaces via the reserved 'template' and 'widget' page_id values — enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Product Status

Vendor qodeinteractive
Product Qi Blocks
Versions Default: unaffected
  • affected from 0 to 1.4.9 (incl.)

Credits

  • Dmitrii Ignatyev finder

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE