Impact
The Qi Blocks plugin for WordPress suffers from an insecure direct object reference flaw caused by missing validation on the 'page_id' request parameter. Authenticated users who possess author-level permissions can use this parameter to change the stored global styles of any post, template, or widget, including site‑wide surfaces that are protected by reserved page_id values. As a result, attackers can deface the front‑end, hide content, or degrade the appearance of any page without ownership of the target.
Affected Systems
The vulnerability affects all releases of the Qi Blocks plugin from the Qode Interactive team up to and including version 1.4.9.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a legitimate login with at least Author role; the REST endpoint’s permission callback only checks generic edit_posts and publish_posts capabilities, so any user with those permissions can abuse the flaw. Successful exploitation allows unauthorized modification of site styling and front‑end content, which can mislead visitors or obscure information.
OpenCVE Enrichment