Description
The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own — including site-wide surfaces via the reserved 'template' and 'widget' page_id values — enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.
Published: 2026-07-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Qi Blocks plugin for WordPress suffers from an insecure direct object reference flaw caused by missing validation on the 'page_id' request parameter. Authenticated users who possess author-level permissions can use this parameter to change the stored global styles of any post, template, or widget, including site‑wide surfaces that are protected by reserved page_id values. As a result, attackers can deface the front‑end, hide content, or degrade the appearance of any page without ownership of the target.

Affected Systems

The vulnerability affects all releases of the Qi Blocks plugin from the Qode Interactive team up to and including version 1.4.9.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a legitimate login with at least Author role; the REST endpoint’s permission callback only checks generic edit_posts and publish_posts capabilities, so any user with those permissions can abuse the flaw. Successful exploitation allows unauthorized modification of site styling and front‑end content, which can mislead visitors or obscure information.

Generated by OpenCVE AI on July 1, 2026 at 12:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Qi Blocks plugin to the latest release (greater than 1.4.9) where the page_id validation fixes the issue.
  • Restrict the Author role or any other role that can edit posts from having permission to modify global styles—ideally only Administrators or Editors should retain that capability.
  • Deploy a WordPress security plugin or use custom code to block the wp-rest endpoint that handles global styles for users that are not Administrators, thereby preventing the vulnerable action from being reachable outside of the admin interface.

Generated by OpenCVE AI on July 1, 2026 at 12:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive qi Blocks
Wordpress
Wordpress wordpress
Vendors & Products Qodeinteractive
Qodeinteractive qi Blocks
Wordpress
Wordpress wordpress

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own — including site-wide surfaces via the reserved 'template' and 'widget' page_id values — enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.
Title Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Qodeinteractive Qi Blocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:32:04.339Z

Reserved: 2026-05-29T14:01:46.700Z

Link: CVE-2026-10096

cve-icon Vulnrichment

Updated: 2026-07-01T10:30:36.398Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T14:00:06Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key