Description
Incorrect Privilege Assignment vulnerability in WPXPO PostX ultimate-post allows Privilege Escalation.This issue affects PostX: from n/a through <= 4.1.35.
Published: 2025-12-18
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPXPO PostX plugin contains an incorrect privilege assignment flaw that enables privilege escalation. Classified as CWE‑266, this weakness permits software to grant higher-level permissions than intended. The CVE description states that the vulnerability allows an attacker to gain elevated privileges, but it does not detail the exact actions an attacker could perform. Based on the description, it is inferred that an authenticated user with limited rights could potentially exploit the flaw to obtain administrative capabilities.

Affected Systems

WordPress sites that use the WPXPO PostX (ultimate‑post) plugin versions up through 4.1.35 are affected. Versions prior to the listed maximum and any bundled plugin found in those releases are at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity flaw, while the EPSS score of less than 1% suggests that exploitation activity is currently rare. The vulnerability is not listed in CISA’s KEV catalog. The description does not specify whether remote or local context is required, but the nature of privilege assignment typically requires the attacker to possess an existing authenticated user account. Consequently, the threat is primarily an internal one, with potential impact on the confidentiality, integrity, and availability of the WordPress installation if the escalation succeeds.

Generated by OpenCVE AI on April 29, 2026 at 15:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PostX to version 4.1.36 or newer to eliminate the privilege misuse flaw.
  • After updating, audit all user roles to confirm that no unintended administrators exist and that role assignments adhere to the principle of least privilege.
  • Monitor site logs for unexpected role changes or creation of new administrator accounts, and investigate promptly if any anomalies are observed.

Generated by OpenCVE AI on April 29, 2026 at 15:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpxpo
Wpxpo postx
Vendors & Products Wordpress
Wordpress wordpress
Wpxpo
Wpxpo postx

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in WPXPO PostX ultimate-post allows Privilege Escalation.This issue affects PostX: from n/a through <= 4.1.35.
Title WordPress PostX Plugin <= 4.1.35 - Privilege Escalation Vulnerability
Weaknesses CWE-266
References

Subscriptions

Wordpress Wordpress
Wpxpo Postx
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:46:17.677Z

Reserved: 2025-08-14T09:10:30.442Z

Link: CVE-2025-55707

cve-icon Vulnrichment

Updated: 2025-12-18T19:00:00.666Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:56.450

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-55707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:00:06Z

Weaknesses