Description
Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 4.1.36.
Published: 2025-12-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the PostX plugin for WordPress, allowing attackers to bypass access control checks and perform actions normally limited to privileged users. This can enable the creation, editing, or deletion of posts and other content published through the plugin, potentially leading to site defacement or data leakage. The weakness is classified as Missing Permissions (CWE-862).

Affected Systems

Affected components are the WPXPO PostX "ultimate-post" plugin, for all versions up to and including 4.1.36. Users running any of these versions, regardless of other WordPress configurations, are potentially impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity vulnerability, while the EPSS of less than 1% suggests a low probability of exploitation on a global scale at this time. The plugin is not currently listed in the CISA KEV catalog. The likely attack vector is via HTTP requests to administrative endpoints of the plugin, exploiting the lack of proper permission checks

Generated by OpenCVE AI on April 29, 2026 at 13:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PostX plugin to a version later than 4.1.36, ensuring that the latest patch has been applied
  • Verify that role‑based access controls are enforced within WordPress so that only authorized users can perform the actions exposed by the plugin
  • Review and restrict server or network access to the WordPress admin area to prevent unauthenticated users from reaching the plugin’s endpoints
  • Implement monitoring of admin actions and audit logs to detect any unauthorized content changes

Generated by OpenCVE AI on April 29, 2026 at 13:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpxpo
Wpxpo postx
Vendors & Products Wordpress
Wordpress wordpress
Wpxpo
Wpxpo postx

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 4.1.36.
Title WordPress PostX plugin <= 4.1.36 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpxpo Postx
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:46:08.669Z

Reserved: 2025-07-28T10:56:48.471Z

Link: CVE-2025-54751

cve-icon Vulnrichment

Updated: 2025-12-18T19:11:32.086Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:56.323

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-54751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:30:12Z

Weaknesses