Description
The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'context_blog_modal_popup' due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Published: 2026-02-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Upgrade Theme
AI Analysis

Impact

The Context Blog WordPress theme contains an information exposure flaw in all versions up to and including 1.2.5. The vulnerability is triggered by the unprotected 'context_blog_modal_popup' AJAX endpoint, which lacks proper permission checks. As a result, unauthenticated users can read the content of password‑protected, private, or draft posts that they should not have access to, thereby compromising confidentiality of the site’s internal data.

Affected Systems

The bug affects the Context Blog theme supplied by PostMagThemes for WordPress. All releases up to version 1.2.5 are impacted. The issue is limited to sites that have installed this theme and have the modal‑popup feature enabled.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is straightforward: any unauthenticated visitor who can reach the modal‑popup endpoint can request private or draft content. No privileged access or complex configuration is required, but the presence of the theme is a prerequisite for exploitation.

Generated by OpenCVE AI on April 27, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Context Blog theme to version 1.2.6 or later.
  • If an upgrade is not immediately possible, disable or remove the 'context_blog_modal_popup' AJAX endpoint by editing the theme files or using a plugin to block the URL.
  • Maintain the latest versions of WordPress core and all plugins, and consider using a dedicated access‑control plugin to enforce strict visibility rules for private and draft posts.

Generated by OpenCVE AI on April 27, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Postmagthemes
Postmagthemes context Blog
Wordpress
Wordpress wordpress
Vendors & Products Postmagthemes
Postmagthemes context Blog
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'context_blog_modal_popup' due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Title Context Blog <= 1.2.5 - Unauthenticated Private Post Disclosure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Postmagthemes Context Blog
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:23.405Z

Reserved: 2025-10-22T14:12:09.205Z

Link: CVE-2025-12074

cve-icon Vulnrichment

Updated: 2026-02-18T12:26:34.735Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T05:16:16.950

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:15:05Z

Weaknesses