CVE-2026-10780 Overview
CVE-2026-10780 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in the Static Block plugin for WordPress, affecting all versions up to and including 2.2. The static_block_content() shortcode handler retrieves posts via get_post() using an attacker-supplied id attribute and outputs the post_content without validating post status or user capability. Authenticated attackers with contributor-level access or above can read arbitrary posts, including private and draft content created by administrators.
Critical Impact
Authenticated contributors can disclose the contents of private posts, drafts, and pending content of any post type by embedding the [static_block_content id="X"] shortcode in their own draft and previewing it.
Affected Products
- Static Block plugin for WordPress, versions ≤ 2.2
- WordPress installations granting contributor-level access to untrusted users
- Sites publishing content via the static_block_content shortcode
Discovery Timeline
- 2026-06-16 - CVE-2026-10780 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-10780
Vulnerability Analysis
The Static Block plugin exposes the static_block_content shortcode to render reusable content snippets. The shortcode handler accepts an id attribute supplied by any user authoring content. The handler then calls get_post() on that identifier and writes the returned post_content directly into the rendered output. The handler does not check the post's status (publish, private, draft, pending, trash) and does not invoke a capability check such as current_user_can('read_post', $id). As a result, the access control assumption that the WordPress editor will only expose static_block posts the user can view is bypassed at render time.
Because get_post() returns any post regardless of type, the disclosure is not limited to static blocks. An attacker can request the content of any post object stored in the database, including drafts written by editors and administrators.
Root Cause
The root cause is a missing authorization check on a user-controlled object reference. The plugin trusts the id shortcode attribute and conflates the ability to author a shortcode with the ability to read the referenced object. WordPress capabilities such as read_private_posts are never consulted before the post content is emitted.
Attack Vector
An attacker authenticates to WordPress at the contributor role or higher. The attacker creates a new draft post containing the shortcode [static_block_content id="X"], where X is an integer iterated against the post ID space. Using the post preview functionality, the attacker triggers shortcode rendering and reads the response body to harvest the referenced post's content. The technique works without any administrator interaction and produces no error when targeting non-public posts.
The vulnerability mechanism is documented in the plugin source at lines 244, 268, and 270 of static-block.php. See the WordPress Plugin Code Review and the Wordfence Vulnerability Report for the affected code paths.
Detection Methods for CVE-2026-10780
Indicators of Compromise
- Draft or pending posts authored by contributor-level accounts containing the [static_block_content id="..."] shortcode with numeric IDs the author did not create
- Preview requests (?preview=true or preview_id query parameters) issued repeatedly by the same user against their own posts in short succession
- Sequential or fuzzing patterns of id attribute values across multiple revisions of a single draft
Detection Strategies
- Query wp_posts for content matching the regex \[static_block_content[^\]]*id= and correlate authorship with the referenced post's owner and status
- Review WordPress audit logs for contributors generating an unusual volume of post revisions or preview hits
- Inspect web server access logs for authenticated GET requests to /?p=<id>&preview=true originating from non-editor accounts
Monitoring Recommendations
- Enable a WordPress activity logging plugin to record post creation, revision, and preview events with user attribution
- Alert on contributor accounts that generate preview traffic against post IDs outside their own authored set
- Monitor outbound responses from preview endpoints for content length anomalies that suggest disclosure of large draft documents
How to Mitigate CVE-2026-10780
Immediate Actions Required
- Deactivate the Static Block plugin until a patched release is installed if contributor or author roles are assigned to untrusted users
- Audit existing contributor and author accounts and revoke access for any account that does not require content authoring
- Review recent drafts and revisions for use of the static_block_content shortcode and investigate any unauthorized references
Patch Information
At the time of publication, no fixed version has been confirmed in the NVD record. Monitor the Wordfence Vulnerability Report and the plugin's WordPress.org page for an updated release. Apply the patched version as soon as it becomes available and confirm the shortcode handler enforces a capability check before rendering.
Workarounds
- Remove or disable the static_block_content shortcode via remove_shortcode('static_block_content') in a mu-plugin until an official fix is published
- Restrict the contributor role from creating posts that contain shortcodes by filtering the_content for unauthenticated rendering paths
- Use a web application firewall rule to block requests where the post body or preview payload contains [static_block_content from non-editor users
# Temporary mitigation: disable the vulnerable shortcode via mu-plugin
# Save as wp-content/mu-plugins/disable-static-block-shortcode.php
<?php
add_action('init', function () {
remove_shortcode('static_block_content');
}, 99);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
