CVE-2026-10096: CWE-639 Authorization Bypass Through User-Controlled Key in qodeinteractive Qi Blocks
The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own — including site-wide surfaces via the reserved 'template' and 'widget' page_id values — enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.
AI Analysis
Technical Summary
CVE-2026-10096 describes an Insecure Direct Object Reference (IDOR) vulnerability in the Qi Blocks WordPress plugin affecting all versions up to and including 1.4.9. The issue stems from the 'page_id' parameter lacking proper validation, allowing authenticated users with author-level or higher privileges to modify stored styles of arbitrary posts, templates, or widgets regardless of ownership. The permission callback only verifies generic capabilities (edit_posts and publish_posts) without ownership checks, enabling unauthorized modification of site-wide elements such as templates and widgets. This can lead to frontend defacement, content hiding, or degradation of any page on the site.
Potential Impact
The vulnerability allows authenticated users with author-level access or higher to alter the appearance and content presentation of posts, templates, or widgets they do not own. This can result in unauthorized frontend defacement, hiding of legitimate content, or degradation of site pages. There is no direct confidentiality or availability impact reported. The CVSS 3.1 base score is 4.3 (medium severity), reflecting low complexity and limited privileges required but no confidentiality or availability impact.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Users should monitor the vendor's advisory for updates and apply any future patches promptly. Until a fix is released, consider restricting author-level permissions or implementing additional access controls to limit modification capabilities. Review and harden permission callbacks to ensure ownership validation where possible.
CVE-2026-10096: CWE-639 Authorization Bypass Through User-Controlled Key in qodeinteractive Qi Blocks
Description
The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own — including site-wide surfaces via the reserved 'template' and 'widget' page_id values — enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.
CVSS v3.1
Score 4.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-10096 describes an Insecure Direct Object Reference (IDOR) vulnerability in the Qi Blocks WordPress plugin affecting all versions up to and including 1.4.9. The issue stems from the 'page_id' parameter lacking proper validation, allowing authenticated users with author-level or higher privileges to modify stored styles of arbitrary posts, templates, or widgets regardless of ownership. The permission callback only verifies generic capabilities (edit_posts and publish_posts) without ownership checks, enabling unauthorized modification of site-wide elements such as templates and widgets. This can lead to frontend defacement, content hiding, or degradation of any page on the site.
Potential Impact
The vulnerability allows authenticated users with author-level access or higher to alter the appearance and content presentation of posts, templates, or widgets they do not own. This can result in unauthorized frontend defacement, hiding of legitimate content, or degradation of site pages. There is no direct confidentiality or availability impact reported. The CVSS 3.1 base score is 4.3 (medium severity), reflecting low complexity and limited privileges required but no confidentiality or availability impact.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Users should monitor the vendor's advisory for updates and apply any future patches promptly. Until a fix is released, consider restricting author-level permissions or implementing additional access controls to limit modification capabilities. Review and harden permission callbacks to ensure ownership validation where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-29T14:01:46.700Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a44ca9627e9c797192fabbe
Added to database: 07/01/2026, 08:06:46 UTC
Last enriched: 07/01/2026, 08:22:36 UTC
Last updated: 07/01/2026, 21:40:17 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.