CVE-2024-5326

HIGH

Post Grid Gutenberg Blocks & WordPress Blog Plugin - Info Disclosure

Title source: llm

Description

The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Exploits (3)

nomisec WORKING POC

by cve-2024 · poc

https://github.com/cve-2024/CVE-2024-5326-Poc

View Code ZIP pw:eip

nomisec WORKING POC

by djayaGit · poc

https://github.com/djayaGit/CVE-2024-5326-Poc

View Code ZIP pw:eip

inthewild

poc

https://github.com/truonghuuphuc/cve-2024-5326-poc

View on inthewild

References (4)

[Product] https://plugins.trac.wordpress.org/changeset/3093815/

[Product] https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L160

[Product] https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L177

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/07a3db33-3787-4b63-835d-8e3026206842?source=cve

Scores

CVSS v3 8.8

EPSS 0.5293

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-862

Status published

Products (2)

wpxpo/Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX < 4.1.2

wpxpo/Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX < 4.1.2

Published May 30, 2024

Tracked Since Feb 18, 2026