Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Mamunur Rashid The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects The Post Grid: from n/a through 7.9.2.
AnalysisAI
Missing authorization in The Post Grid WordPress plugin (versions through 7.9.2) allows authenticated low-privileged users to bypass access control checks and read data restricted to higher-privileged roles. The flaw stems from inadequate capability enforcement within the plugin's request handling, enabling privilege escalation of access scope without elevated credentials. No public exploit identified at time of analysis, and CISA has not listed this in the KEV catalog; SSVC signals confirm no known active exploitation.
Technical ContextAI
The Post Grid is a WordPress plugin developed by Mamunur Rashid that renders post listings and grids. CWE-862 (Missing Authorization) indicates that the plugin fails to perform a proper authorization check - typically via WordPress capability functions such as current_user_can() - before granting access to one or more endpoints or AJAX actions. WordPress access control depends on roles and capabilities being explicitly verified at the function level; when those checks are absent or misconfigured, any authenticated user (including low-trust roles like Subscriber or Contributor) can invoke privileged functionality. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms the flaw is reachable over the network, requires no interaction beyond authentication, and produces a limited confidentiality disclosure with no integrity or availability impact. Affected versions span all releases up to and including 7.9.2 per EUVD-2026-32560.
RemediationAI
The primary remediation is to update The Post Grid plugin to a version beyond 7.9.2. The exact patched version is not confirmed in the available intelligence - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/the-post-grid/vulnerability/wordpress-the-post-grid-plugin-7-9-2-broken-access-control-vulnerability) and the WordPress plugin repository changelog to identify the first fixed release. If an update cannot be applied immediately, a practical compensating control is to disable open user registration on the WordPress site (Settings > General > uncheck 'Anyone can register'), which eliminates the ability for untrusted parties to obtain the low-privileged account required for exploitation. Additionally, reviewing and removing unnecessary Subscriber or Contributor accounts reduces the attack surface. Deactivating the plugin entirely eliminates exposure with the trade-off of losing its display functionality. Note that network-layer controls (WAF rules) are unlikely to be effective for this class of missing authorization flaw, as the requests themselves may appear legitimate.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32560
GHSA-3c8c-p4wx-4q49