Description
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes.
Published: 2025-12-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Sensitive Data Exposure (potentially including password hashes)
Action: Immediate Patch
AI Analysis

Impact

The PostX plugin for WordPress contains a missing capability check on the REST API endpoint /ultp/v2/get_dynamic_content/. This flaw allows an unauthenticated user to send requests to the endpoint and retrieve sensitive metadata belonging to site users, including password hashes. The impact is a clear breach of confidentiality for all users of the affected installation.

Affected Systems

WordPress sites using the Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin, versions up to and including 5.0.3, are affected. Users should verify the installed major version and confirm it is 5.0.4 or later to avoid the vulnerability.

Risk and Exploitability

The CVSS score of 7.5 classifies this vulnerability as high severity, and the EPSS score of less than 1% indicates a low probability of exploitation at present. Because the flaw exists on a publicly accessible REST endpoint, an attacker can exploit it without authentication or special network access, but the mitigation strategy focuses on timely patching rather than waiting for malicious activity. The vulnerability is not yet listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 21, 2026 at 00:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PostX plugin to the latest available version that implements a capability check on the /ultp/v2/get_dynamic_content/ endpoint.
  • If an immediate update is not possible, restrict access to the REST endpoint by limiting it to authenticated users or by blocking requests from unauthenticated IPs using server or firewall rules.
  • Implement monitoring for unexpected REST API traffic to /ultp/v2/get_dynamic_content/ as an early detection measure for unauthorized access attempts.

Generated by OpenCVE AI on April 21, 2026 at 00:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Post Grid Team By Wpxpo
Post Grid Team By Wpxpo postx-gutenberg Blocks For Post Grid
Wordpress
Wordpress wordpress
Wpxpo
Wpxpo postx
Wpxpo postx - Gutenberg Blocks For Post Grid
Vendors & Products Post Grid Team By Wpxpo
Post Grid Team By Wpxpo postx-gutenberg Blocks For Post Grid
Wordpress
Wordpress wordpress
Wpxpo
Wpxpo postx
Wpxpo postx - Gutenberg Blocks For Post Grid

Mon, 22 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes.
Title Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Post Grid Team By Wpxpo Postx-gutenberg Blocks For Post Grid
Wordpress Wordpress
Wpxpo Postx Postx - Gutenberg Blocks For Post Grid
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:34.314Z

Reserved: 2025-11-10T19:18:33.605Z

Link: CVE-2025-12980

cve-icon Vulnrichment

Updated: 2025-12-22T20:19:39.936Z

cve-icon NVD

Status : Deferred

Published: 2025-12-21T03:15:51.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses