Insecure Direct Object Reference Vulnerability in Qi Blocks Plugin for WordPress
CVE-2026-10096
4.3MEDIUM
What is CVE-2026-10096?
The Qi Blocks plugin for WordPress has a serious vulnerability that allows authenticated users with author-level access or higher to exploit the 'page_id' parameter due to insufficient validation of a user-controlled key. This flaw enables attackers to alter the Qi Blocks styles of any post, template, or widget, thereby facilitating unauthorized modifications to site-wide appearances. Given that the permission checks rely solely on generic post editing capabilities, any authenticated user can exploit this vulnerability regardless of actual ownership of the content, potentially leading to unauthorized frontend changes, content relocation, and overall degradation of site integrity.
Affected Version(s)
Qi Blocks 0 <= 1.4.9