CVE-2025-63043
Lifecycle Timeline
2Description
Authorization Bypass Through User-Controlled Key vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.23.
Analysis
Authorization bypass in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin through version 2.3.23 allows attackers to exploit incorrectly configured access control via user-controlled keys, potentially enabling unauthorized access to post content or plugin functionality. The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key) and presents a low exploitation probability (EPSS 0.04%, 13th percentile) with no public exploit code or active exploitation confirmed at time of analysis.
Technical Context
The vulnerability stems from improper implementation of authorization controls in the Post Grid and Gutenberg Blocks plugin, specifically through the use of user-supplied input to determine or bypass access control decisions. CWE-639 describes scenarios where authentication or authorization is decided based on a key (identifier, token, or parameter) that the user can control or influence, rather than deriving authorization from the application's internal security model. This typically manifests in WordPress plugins as insecure direct object references (IDOR) where object IDs, nonces, or capability checks are inadequately validated, allowing unauthenticated or low-privileged users to access restricted functionality or data by modifying request parameters.
Affected Products
PickPlugins Post Grid and Gutenberg Blocks WordPress plugin is affected in all versions from an unspecified baseline through 2.3.23, as documented in the Patchstack vulnerability database. The plugin is distributed via the official WordPress.org plugin repository (CPE data specific to this plugin not independently confirmed in provided references, but standard WordPress plugin CPE format would be cpe:2.3:a:pickplugins:post-grid:*:*:*:*:*:wordpress:*:*). Vendors have not released an updated version number in the provided data, though Patchstack's involvement suggests a patch may be available.
Remediation
Update PickPlugins Post Grid and Gutenberg Blocks to the latest available version beyond 2.3.23. Users should check the official WordPress.org plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-19-insecure-direct-object-references-idor-vulnerability for the patched version number and installation instructions. Until a patched version is confirmed and deployed, administrators should review plugin capabilities and access control settings to ensure that post content and block configurations are not exposed to unintended user roles; if deployment is not mission-critical, temporary deactivation of the plugin is a prudent workaround pending a verified patch release.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today