Description
The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied 'id' attribute and outputting its post_content without verifying the post's status (private, draft, pending) or the requesting user's capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id="X"] shortcode in their own content and previewing it.
Published: 2026-06-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Static Block plugin for WordPress allows an authenticated user with contributor-level or higher access to embed a shortcode that references a post by ID. The plugin retrieves the post using get_post() but does not verify the post status or the viewer’s capability. This allows the attacker to read the full content of any post, including private, draft, or pending posts created by administrators. The vulnerability can leak confidential or sensitive information stored in posts.

Affected Systems

The vulnerability affects the Static Block plugin for WordPress in all versions up to and including 2.2. Users running these versions are potentially exposed to information disclosure through the shortcode feature.

Risk and Exploitability

The CVSS score is 4.3, indicating medium impact under current scoring. The EPSS score of < 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an authenticated attacker who can edit and preview content, which is achievable by contributors or higher roles on the site.

Generated by OpenCVE AI on June 16, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Static Block plugin to the latest version (2.3 or later) where the shortcode validation has been fixed.
  • If an immediate upgrade is not possible, restrict the rendering of the shortcode to users with administrative privileges by adding a capability check before the shortcode executes, or by modifying the plugin to enforce post status verification.
  • Remove or sanitize existing [static_block_content] shortcodes from user-generated content to eliminate the potential for unauthorized disclosure.

Generated by OpenCVE AI on June 16, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied 'id' attribute and outputting its post_content without verifying the post's status (private, draft, pending) or the requesting user's capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id="X"] shortcode in their own content and previewing it.
Title Static Block <= 2.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode 'id' Attribute
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-16T14:00:23.044Z

Reserved: 2026-06-03T16:01:12.626Z

Link: CVE-2026-10780

cve-icon Vulnrichment

Updated: 2026-06-16T14:00:20.057Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T06:16:58.013

Modified: 2026-06-16T15:22:49.577

Link: CVE-2026-10780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key