Skip to main content

PickPlugins Post Grid CVE-2025-63043

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-12-18 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 18, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.23.

AnalysisAI

Authorization bypass in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin through version 2.3.23 allows attackers to exploit incorrectly configured access control via user-controlled keys, potentially enabling unauthorized access to post content or plugin functionality. The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key) and presents a low exploitation probability (EPSS 0.04%, 13th percentile) with no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

The vulnerability stems from improper implementation of authorization controls in the Post Grid and Gutenberg Blocks plugin, specifically through the use of user-supplied input to determine or bypass access control decisions. CWE-639 describes scenarios where authentication or authorization is decided based on a key (identifier, token, or parameter) that the user can control or influence, rather than deriving authorization from the application's internal security model. This typically manifests in WordPress plugins as insecure direct object references (IDOR) where object IDs, nonces, or capability checks are inadequately validated, allowing unauthenticated or low-privileged users to access restricted functionality or data by modifying request parameters.

Affected ProductsAI

PickPlugins Post Grid and Gutenberg Blocks WordPress plugin is affected in all versions from an unspecified baseline through 2.3.23, as documented in the Patchstack vulnerability database. The plugin is distributed via the official WordPress.org plugin repository (CPE data specific to this plugin not independently confirmed in provided references, but standard WordPress plugin CPE format would be cpe:2.3:a:pickplugins:post-grid:*:*:*:*:*:wordpress:*:*). Vendors have not released an updated version number in the provided data, though Patchstack's involvement suggests a patch may be available.

RemediationAI

Update PickPlugins Post Grid and Gutenberg Blocks to the latest available version beyond 2.3.23. Users should check the official WordPress.org plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-19-insecure-direct-object-references-idor-vulnerability for the patched version number and installation instructions. Until a patched version is confirmed and deployed, administrators should review plugin capabilities and access control settings to ensure that post content and block configurations are not exposed to unintended user roles; if deployment is not mission-critical, temporary deactivation of the plugin is a prudent workaround pending a verified patch release.

Share

CVE-2025-63043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy