CVE-2025-66058

2025-12-18 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 18, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.17.

Analysis

Missing authorization in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions through 2.3.17) allows attackers to bypass access control restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized access to protected content or administrative functions. The vulnerability stems from broken access control (CWE-862) with no public exploit code confirmed at time of analysis, though EPSS scoring of 0.04% suggests minimal real-world exploitation probability despite the authorization flaw.

Technical Context

The vulnerability is classified as CWE-862 (Missing Authorization), which indicates the plugin fails to properly enforce access control checks before performing sensitive operations. This is a common WordPress plugin vulnerability pattern where capability checks or nonce validation are either missing or improperly implemented in REST API endpoints, AJAX handlers, or direct function calls. The Post Grid plugin processes user-supplied input related to grid configuration and content filtering without adequate authorization verification, allowing attackers to manipulate access control security levels. The affected product is a Gutenberg-compatible WordPress plugin used for displaying posts in customizable grid layouts.

Affected Products

PickPlugins Post Grid and Gutenberg Blocks WordPress plugin versions up to and including 2.3.17. The plugin is distributed through WordPress.org plugin repository and is identified by the slug 'post-grid'. No specific WordPress version restrictions are documented, indicating the vulnerability affects all WordPress installations using the vulnerable plugin versions.

Remediation

Update PickPlugins Post Grid and Gutenberg Blocks to a patched version released after 2.3.17 immediately. Check the plugin's WordPress.org page or the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-17-broken-access-control-vulnerability-2 for the specific patched version number. If an immediate update is unavailable, consider temporarily disabling the plugin on production sites handling sensitive content until a patch is confirmed released and tested in a staging environment.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-66058 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy