Skip to main content

The Post Grid EUVDEUVD-2026-32560

| CVE-2026-49054 MEDIUM
Missing Authorization (CWE-862)
2026-05-27 audit@patchstack.com GHSA-3c8c-p4wx-4q49
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:07 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Mamunur Rashid The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects The Post Grid: from n/a through 7.9.2.

AnalysisAI

Missing authorization in The Post Grid WordPress plugin (versions through 7.9.2) allows authenticated low-privileged users to bypass access control checks and read data restricted to higher-privileged roles. The flaw stems from inadequate capability enforcement within the plugin's request handling, enabling privilege escalation of access scope without elevated credentials. No public exploit identified at time of analysis, and CISA has not listed this in the KEV catalog; SSVC signals confirm no known active exploitation.

Technical ContextAI

The Post Grid is a WordPress plugin developed by Mamunur Rashid that renders post listings and grids. CWE-862 (Missing Authorization) indicates that the plugin fails to perform a proper authorization check - typically via WordPress capability functions such as current_user_can() - before granting access to one or more endpoints or AJAX actions. WordPress access control depends on roles and capabilities being explicitly verified at the function level; when those checks are absent or misconfigured, any authenticated user (including low-trust roles like Subscriber or Contributor) can invoke privileged functionality. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms the flaw is reachable over the network, requires no interaction beyond authentication, and produces a limited confidentiality disclosure with no integrity or availability impact. Affected versions span all releases up to and including 7.9.2 per EUVD-2026-32560.

RemediationAI

The primary remediation is to update The Post Grid plugin to a version beyond 7.9.2. The exact patched version is not confirmed in the available intelligence - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/the-post-grid/vulnerability/wordpress-the-post-grid-plugin-7-9-2-broken-access-control-vulnerability) and the WordPress plugin repository changelog to identify the first fixed release. If an update cannot be applied immediately, a practical compensating control is to disable open user registration on the WordPress site (Settings > General > uncheck 'Anyone can register'), which eliminates the ability for untrusted parties to obtain the low-privileged account required for exploitation. Additionally, reviewing and removing unnecessary Subscriber or Contributor accounts reduces the attack surface. Deactivating the plugin entirely eliminates exposure with the trade-off of losing its display functionality. Note that network-layer controls (WAF rules) are unlikely to be effective for this class of missing authorization flaw, as the requests themselves may appear legitimate.

Share

EUVD-2026-32560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy