cleantalk
Vulnerabilities and Security Researches

Static Block, CVE-2026-10780

CVE, Research URL

CVE-2026-10780

Home page URL

Security reports for Static Block

Application

Static Block

Published on
Jun 16, 2026
Research Description
The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied 'id' attribute and outputting its post_content without verifying the post's status (private, draft, pending) or the requesting user's capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id="X"] shortcode in their own content and previewing it.
Affected versions
max 2.2.
Status
vulnerable
Previous vulnerability researches
WooCommerce Digital Signature (CVE-2026-52694) , Jun 17, 2026
New vulnerability
Video Conferencing with Zoom (CVE-2026-6964) , Jun 17, 2026
Media Library Assistant (CVE-2026-54198) , Jun 17, 2026
RomethemeKit For Elementor (CVE-2026-5149) , Jun 17, 2026
WooCommerce Digital Signature (CVE-2026-52694) , Jun 17, 2026
Permalink Manager Lite (CVE-2026-8494) , Jun 17, 2026