CVE-2026-1273
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2Description
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.8 via the `/ultp/v3/starter_dummy_post/` and `/ultp/v3/starter_import_content/` REST API endpoints. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Analysis
The PostX WordPress plugin versions up to 5.0.8 contains a server-side request forgery vulnerability in its REST API endpoints that allows authenticated administrators to make arbitrary web requests from the server to internal or external systems. This could enable attackers with admin privileges to query, exfiltrate, or modify data from internal services accessible to the web server. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress installations using PostX plugin and document affected versions. Within 7 days: Implement WAF rules to block requests to vulnerable REST API endpoints (/ultp/v3/starter_dummy_post/ and /ultp/v3/starter_import_content/), disable these endpoints if possible, and restrict API access to authorized users only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today