WordPress Plugin Vulnerabilities

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX < 5.0.6 - Missing Authorization to Limited Post Meta Modification

Description

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes it possible for unauthenticated attackers to modify the share_count post meta for any post, including private or draft posts.

Affects Plugins

Plugin icon
ultimate-post
Fixed in 5.0.6

References

CVE
CVE-2026-0718
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b2cf3b-5d35-4ce6-9453-1538a6f7752f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mohammad Amin Hajian (mamadrce)
Verified
No
WPVDB ID
a3e9aa42-9848-4c15-a52a-518498da06d8

Timeline

Publicly Published
2026-04-15 (about 2 months ago)
Added
2026-04-15 (about 2 months ago)
Last Updated
2026-04-16 (about 2 months ago)

Other

Published
Title
Published
2025-11-24
Title
Autochat Automatic Conversation <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update
Published
2025-02-03
Title
Awesome Event Booking < 2.7.5 - Missing Authorization
Published
2024-01-08
Title
Envira Gallery Lite < 1.8.7.3 - Missing Authorization to Gallery Modification via envira_gallery_insert_images
Published
2025-12-03
Title
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI < 3.41.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation
Published
2024-04-22
Title
ARForms < 6.4.1 - Missing Authorization to Arbitrary Option Deletion