๐Ÿ” CVE Alert

CVE-2026-10096

MEDIUM 4.3

Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own โ€” including site-wide surfaces via the reserved 'template' and 'widget' page_id values โ€” enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.

CWE CWE-639
Vendor qodeinteractive
Product qi blocks
Published Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for qodeinteractive qi blocks

Be the first to know when new medium vulnerabilities affecting qodeinteractive qi blocks are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

qodeinteractive / Qi Blocks
0 โ‰ค 1.4.9

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/64251fd4-1627-49d0-831f-5cb9898c38bf?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L142 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L134 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L82 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3572812%40qi-blocks&new=3572812%40qi-blocks&sfp_email=&sfph_mail=

Credits

Dmitrii Ignatyev