{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69313", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:13.400Z", "datePublished": "2026-01-22T16:52:32.119Z", "dateUpdated": "2026-04-28T20:48:25.367Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ultimate-post", "product": "PostX", "vendor": "WPXPO", "versions": [{"changes": [{"at": "5.0.4", "status": "unaffected"}], "lessThanOrEqual": "5.0.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "MD ISMAIL | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:24.654Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects PostX: from n/a through <= 5.0.3.</p>"}], "value": "Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.262Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress PostX plugin <= 5.0.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:15:13.359296Z", "id": "CVE-2025-69313", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:48:25.367Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69313", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:15:13.359296Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:15:09.188Z"}}], "cna": {"title": "WordPress PostX plugin <= 5.0.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "MD ISMAIL | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "WPXPO", "product": "PostX", "versions": [{"status": "affected", "changes": [{"at": "5.0.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.0.3"}], "packageName": "ultimate-post", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:24.654Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects PostX: from n/a through <= 5.0.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:13.337Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69313", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:13.337Z", "dateReserved": "2025-12-31T20:12:13.400Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:32.119Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WPXPO PostX ultimate-post permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a PostX: desde n/a hasta &lt;= 5.0.3."}], "id": "CVE-2025-69313", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:26.960", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:12:31.457441+00:00", "value": {"mitigation_remediation": ["Update the PostX (ultimate\u2011post) plugin to the latest version that addresses the access control flaw", "If an update cannot be applied immediately, disable the plugin or restrict plugin functionality to administrators only", "Review and enforce proper role\u2011based access controls for post editing and management features within WordPress"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WPXPO PostX plugin, also known as ultimate\u2011post, in all releases up to and including version 5.0.3. WordPress sites that have this plugin installed and have not applied newer updates are susceptible. No other products are listed as affected.", "description_and_impact": "Missing Authorization flaw in WPXPO PostX plugin allows an attacker to perform privileged actions that should be restricted, such as creating, editing, or deleting posts. The flaw arises from incorrectly configured access control security levels, resulting in a CWE\u2011862 vulnerability. The potential impact includes unauthorized data manipulation and possible escalation of privileges within the WordPress site.", "risk_and_exploitability": "The CVSS base score of 7.5 classifies the issue as high severity, while the EPSS score of less than 1\u202f% indicates a low probability of exploitation at this time. The vulnerability is not present in the CISA KEV catalog. The attack likely requires a compromised or legitimate user session, as the flaw involves missing authorization checks. An attacker who can authenticate (or exploit the plugin\u2019s administrative endpoints) can elevate privileges or manipulate content without permission."}}}}, "created": "2026-01-23T16:28:20.339130+00:00", "updated": "2026-04-27T21:15:05.549528+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpxpo", "wpxpo$PRODUCT$postx"]}