Description
Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master ajax-filter-posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid Master: from n/a through <= 3.4.17.
Published: 2025-06-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the Post Grid Master ajax-filter-posts feature allows an attacker to exploit incorrectly configured access control security levels. The flaw, classified as CWE-862, enables access to plugin management actions that should be restricted. No direct elevation of privilege is described, but the lack of proper checks can let users obtain or modify content unintentionally.

Affected Systems

The vulnerability affects the WordPress Post Grid Master plugin by Akhtarujjaman Shuvo. All releases from the initial version through version 3.4.17 are impacted.

Risk and Exploitability

The CVSS v3 score of 4.3 indicates a medium impact. The EPSS score of less than 1% reflects a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves interacting with the ajax-filter-posts capability from an authenticated user account that lacks proper permission checks; this could be an internal user or an external user with compromised credentials. The vulnerability does not provide a remote code execution path, but it can allow unauthorized manipulation of content or plugin configuration.

Generated by OpenCVE AI on April 30, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Post Grid Master to version 3.4.18 or later.
  • Restrict access to the ajax-filter-posts functionality by assigning the required administrative capabilities only to trusted users.
  • Review and enforce correct capability checks in the plugin’s access controls to ensure unauthorized users cannot trigger privileged actions.

Generated by OpenCVE AI on April 30, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17225 Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Grid Master: from n/a through 3.4.13.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Grid Master: from n/a through 3.4.13. Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master ajax-filter-posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid Master: from n/a through <= 3.4.17.
Title WordPress Post Grid Master <= 3.4.13 - Broken Access Control Vulnerability WordPress Post Grid Master plugin <= 3.4.17 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 13 Aug 2025 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Addonmaster
Addonmaster post Grid Master
CPEs cpe:2.3:a:addonmaster:post_grid_master:*:*:*:*:*:wordpress:*:*
Vendors & Products Addonmaster
Addonmaster post Grid Master

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Grid Master: from n/a through 3.4.13.
Title WordPress Post Grid Master <= 3.4.13 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Addonmaster Post Grid Master
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:02.771Z

Reserved: 2025-03-26T09:22:34.906Z

Link: CVE-2025-30974

cve-icon Vulnrichment

Updated: 2025-06-06T15:12:50.676Z

cve-icon NVD

Status : Modified

Published: 2025-06-06T13:15:37.160

Modified: 2026-04-23T15:27:26.040

Link: CVE-2025-30974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:30:16Z

Weaknesses