{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12980", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-10T19:18:33.605Z", "datePublished": "2025-12-21T02:20:32.805Z", "dateUpdated": "2026-04-08T17:30:34.314Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:34.314Z"}, "affected": [{"vendor": "wpxpo", "product": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes."}], "title": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX <= 5.0.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e85ff3b3-de41-4ac4-b825-b3238725ca44?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3421729/ultimate-post/trunk/classes/Blocks.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Marcin Dudek"}], "timeline": [{"time": "2025-11-19T16:27:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-20T14:15:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T20:19:34.998464Z", "id": "CVE-2025-12980", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:19:43.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12980", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T20:19:34.998464Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:19:39.936Z"}}], "cna": {"title": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX <= 5.0.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Marcin Dudek"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "wpxpo", "product": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-19T16:27:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-20T14:15:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e85ff3b3-de41-4ac4-b825-b3238725ca44?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3421729/ultimate-post/trunk/classes/Blocks.php"}], "descriptions": [{"lang": "en", "value": "The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:34.314Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12980", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:34.314Z", "dateReserved": "2025-11-10T19:18:33.605Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-21T02:20:32.805Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes."}], "id": "CVE-2025-12980", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-21T03:15:51.830", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3421729/ultimate-post/trunk/classes/Blocks.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e85ff3b3-de41-4ac4-b825-b3238725ca44?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:39:23.733176+00:00", "value": {"mitigation_remediation": ["Update the PostX plugin to the latest available version that implements a capability check on the /ultp/v2/get_dynamic_content/ endpoint.", "If an immediate update is not possible, restrict access to the REST endpoint by limiting it to authenticated users or by blocking requests from unauthenticated IPs using server or firewall rules.", "Implement monitoring for unexpected REST API traffic to /ultp/v2/get_dynamic_content/ as an early detection measure for unauthorized access attempts."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Sensitive Data Exposure (potentially including password hashes)"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX plugin, versions up to and including 5.0.3, are affected. Users should verify the installed major version and confirm it is 5.0.4 or later to avoid the vulnerability.", "description_and_impact": "The PostX plugin for WordPress contains a missing capability check on the REST API endpoint /ultp/v2/get_dynamic_content/. This flaw allows an unauthenticated user to send requests to the endpoint and retrieve sensitive metadata belonging to site users, including password hashes. The impact is a clear breach of confidentiality for all users of the affected installation.", "risk_and_exploitability": "The CVSS score of 7.5 classifies this vulnerability as high severity, and the EPSS score of less than 1% indicates a low probability of exploitation at present. Because the flaw exists on a publicly accessible REST endpoint, an attacker can exploit it without authentication or special network access, but the mitigation strategy focuses on timely patching rather than waiting for malicious activity. The vulnerability is not yet listed in the CISA KEV catalog."}}}}, "created": "2025-12-23T22:52:23.287864+00:00", "updated": "2026-04-21T00:45:23.094494+00:00", "vendors": ["post_grid_team_by_wpxpo", "post_grid_team_by_wpxpo$PRODUCT$postx-gutenberg_blocks_for_post_grid", "wordpress", "wordpress$PRODUCT$wordpress", "wpxpo", "wpxpo$PRODUCT$postx", "wpxpo$PRODUCT$postx_-_gutenberg_blocks_for_post_grid"]}