Insecure Direct Object Reference Vulnerability in Qi Blocks Plugin for WordPress
CVE-2026-10096

4.3MEDIUM

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-10096?

The Qi Blocks plugin for WordPress has a serious vulnerability that allows authenticated users with author-level access or higher to exploit the 'page_id' parameter due to insufficient validation of a user-controlled key. This flaw enables attackers to alter the Qi Blocks styles of any post, template, or widget, thereby facilitating unauthorized modifications to site-wide appearances. Given that the permission checks rely solely on generic post editing capabilities, any authenticated user can exploit this vulnerability regardless of actual ownership of the content, potentially leading to unauthorized frontend changes, content relocation, and overall degradation of site integrity.

Affected Version(s)

Qi Blocks 0 <= 1.4.9

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
.