Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX < 5.0.4 – Missing Authorization to Unauthenticated Sensitive Information Exposure | CVE 2025-12980 | Plugin Vulnerabilities

Description

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes.

Affects Plugins

Fixed in 5.0.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e85ff3b3-de41-4ac4-b825-b3238725ca44

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Marcin Dudek (dudekmar)

Verified

No

WPVDB ID

06e143ba-f844-44c8-a2b8-35edfe2df40f

Timeline

Publicly Published

2025-12-20 (about 6 months ago)

Added

2025-12-20 (about 6 months ago)

Last Updated

2025-12-21 (about 6 months ago)

Other

Published

Title

Published

2026-04-16

Title

WP Statistics < 14.16.5 - Subscriber+ Sensitive Information Exposure and Privacy Audit Manipulation

Published

2025-08-29

Title

Blog Designer PRO <= 3.4.8 - Missing Authorization

Published

2026-01-29

Title

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode < 4.6.5 - Missing Authorization

Published

2025-03-11

Title

Block Spam By Math Reloaded <= 2.2.4 - Missing Authorization

Published

2026-02-20

Title

Xpro Addons For Beaver Builder – Lite < 1.5.7 - Missing Authorization