Security Alert Summary
The Qi Blocks plugin for WordPress contains an Insecure Direct Object Reference (IDOR) in the handling of the page_id parameter in versions up to and including 1.4.9. Because the endpoint lacks proper validation and its permission checks rely only on generic capabilities, an authenticated user with author-level access or higher can modify stored Qi Blocks styles for posts, templates, or widgets they do not own, which can result in frontend defacement, content hiding, or degradation of site pages.
CVE Details
- CVE ID: CVE-2026-10096
- Affected component: Qi Blocks plugin for WordPress
- Affected versions: All versions up to and including 1.4.9
- Published: July 1, 2026 at 08:16:19 AM UTC
- Last Modified: July 1, 2026 at 01:56:17 PM UTC
- CVSS v3.1: Base Score 4.3, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Authentication / Privileges / User interaction: Privileges Required: Low (an authenticated user with author-level capabilities satisfies the endpoint checks); User Interaction: None
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- Weakness: CWE-639 (Authorization Bypass Through User-Controlled Key)
Technical Details
The vulnerability is an Insecure Direct Object Reference caused by missing validation of a user-controlled key passed via the page_id parameter. The plugin’s endpoint performs a permission_callback that checks only the generic edit_posts and publish_posts capabilities. Because those checks do not enforce post ownership, any authenticated user meeting those capabilities (for example, the built-in Author role) can supply crafted page_id values to modify stored Qi Blocks styles for arbitrary targets.
Named reserved page_id values such as template and widget are accepted by the same logic, allowing modification of site-wide surfaces. The practical result is that an attacker with the required privileges can alter block styling or other stored presentation data for posts, templates, or widgets they do not own, leading to unauthorized frontend defacement, hiding of content, or visual degradation of pages.
How This Could Impact Your Website
Consider a site with multiple users: a site owner, internal content editors, and external contributors or contractors. If a contributor or contractor has an Author-level account, they could use this vulnerability to change Qi Blocks styles for posts or templates they do not own. That could result in visible content being hidden, page layouts breaking, or misleading styling being applied across multiple pages or site-wide templates.
For example, an author-level account could modify the style of a shared template or a widget, affecting the appearance of pages the site owner and editors expect to remain consistent. These changes can harm visitor trust and disrupt normal site operations until the styling is corrected.
If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially Author and Contributor roles.
- Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
- Remove unused or unmaintained plugins and themes from your site.
- Monitor site activity and logs for unusual behavior related to content or template changes.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L134
- https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L142
- https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L82
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3572812%40qi-blocks&new=3572812%40qi-blocks&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/64251fd4-1627-49d0-831f-5cb9898c38bf?source=cve