CVE-2024-5326

HIGH

Post Grid Gutenberg Blocks & WordPress Blog Plugin - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-5326. PoCs published by cve-2024, djayaGit.

AI-analyzed exploit summary This PoC exploits a missing authorization check in the PostX WordPress plugin (CVE-2024-5326) to enable user registration and set the default role to Administrator. It requires Contributor-level credentials to modify arbitrary options via the 'postx_presets_callback' function.

Description

The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Exploits (2)

nomisec WORKING POC
by cve-2024 · poc
https://github.com/cve-2024/CVE-2024-5326-Poc

This PoC exploits a missing authorization check in the PostX WordPress plugin (CVE-2024-5326) to enable user registration and set the default role to Administrator. It requires Contributor-level credentials to modify arbitrary options via the 'postx_presets_callback' function.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX <= 4.1.2
Auth required
Prerequisites: Contributor-level WordPress credentials · WordPress site with PostX plugin <= 4.1.2
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by djayaGit · poc
https://github.com/djayaGit/CVE-2024-5326-Poc

This PoC exploits a missing authorization check in the PostX WordPress plugin (CVE-2024-5326) to enable user registration and set the default role to Administrator. It requires Contributor-level credentials to modify arbitrary options via the 'postx_presets_callback' function.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX <= 4.1.2
Auth required
Prerequisites: WordPress site with PostX plugin <= 4.1.2 · Contributor-level credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.5293
EPSS Percentile 98.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (2)
wpxpo/Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX < 4.1.2
wpxpo/Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX < 4.1.2
Published May 30, 2024
Tracked Since Feb 18, 2026