WordPress Plugin Vulnerabilities

Post Grid and Gutenberg Blocks <= 2.3.19 - Unauthenticated Insecure Direct Object Reference

Description

The Post Grid plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.19 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
post-grid
No known fix

References

CVE
CVE-2025-63043
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0556738f-5c3c-4ff6-9432-d666328dc5e5

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Doan Dinh Van (DinhVan52)
Verified
No
WPVDB ID
67135efd-9886-4edb-9a2e-dbf5292e03c0

Timeline

Publicly Published
2025-12-03 (about 5 months ago)
Added
2025-12-20 (about 5 months ago)
Last Updated
2026-04-30 (about 24 days ago)

Other

Published
Title
Published
2025-09-22
Title
Content Mask <= 1.8.5.3 - Authenticated (Author+) Insecure Direct Object Reference
Published
2026-04-21
Title
Salon Booking System – Free Version < 10.30.25 - Unauthenticated Insecure Direct Object Reference
Published
2024-09-05
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.9 - Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update
Published
2021-07-27
Title
uListing < 2.0.6 - Authenticated IDOR
Published
2025-10-21
Title
Flexible Refund and Return Order for WooCommerce < 1.0.39 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund