WordPress Plugin Vulnerabilities

PostX < 4.1.36 - Authenticated (Editor+) Privilege Escalation

Description

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.1.35. This makes it possible for authenticated attackers, with Editor-level access and above, to elevate their privileges.

Affects Plugins

Plugin icon
ultimate-post
Fixed in 4.1.36

References

CVE
CVE-2025-55707
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/08ad76c6-8e63-4015-b0d9-5699f24f36ca

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Denver Jackson
Verified
No
WPVDB ID
32a7dacb-022a-4136-a5ce-fbb196bdd119

Timeline

Publicly Published
2025-08-29 (about 9 months ago)
Added
2025-12-20 (about 6 months ago)
Last Updated
2025-12-20 (about 6 months ago)

Other

Published
Title
Published
2026-06-08
Title
Events Calendar for GeoDirectory < 2.3.29 - Subscriber+ Privilege Escalation
Published
2024-11-25
Title
AppPresser < 4.4.7 - Unauthenticated Privilege Escalation via Password Reset
Published
2026-05-22
Title
Wishlist Member < 3.31.0 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_export_settings' AJAX Action
Published
2025-07-31
Title
DELUCKS SEO < 2.6.1 - Authenticated (Subscriber+) Privilege Escalation
Published
2026-06-15
Title
Admin and Site Enhancements < 8.8.4 - Unauthenticated Administrator-Role Restoration via reset-for Parameter