{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0718", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-08T12:11:07.838Z", "datePublished": "2026-04-16T07:39:50.799Z", "dateUpdated": "2026-04-16T12:55:16.326Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T07:39:50.799Z"}, "affected": [{"vendor": "wpxpo", "product": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes it possible for unauthenticated attackers to modify the share_count post meta for any post, including private or draft posts."}], "title": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b2cf3b-5d35-4ce6-9453-1538a6f7752f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/ultimate-post/tags/5.0.5/classes/Blocks.php&new_path=/ultimate-post/tags/5.0.6/classes/Blocks.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Mohammad Amin Hajian"}], "timeline": [{"time": "2025-12-24T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-08T12:27:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T18:53:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:55:09.620614Z", "id": "CVE-2026-0718", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:55:16.326Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0718", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T12:55:09.620614Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:55:13.026Z"}}], "cna": {"title": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification", "credits": [{"lang": "en", "type": "finder", "value": "Mohammad Amin Hajian"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpxpo", "product": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-24T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-08T12:27:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-15T18:53:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b2cf3b-5d35-4ce6-9453-1538a6f7752f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/ultimate-post/tags/5.0.5/classes/Blocks.php&new_path=/ultimate-post/tags/5.0.6/classes/Blocks.php"}], "descriptions": [{"lang": "en", "value": "The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes it possible for unauthenticated attackers to modify the share_count post meta for any post, including private or draft posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T07:39:50.799Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0718", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:55:16.326Z", "dateReserved": "2026-01-08T12:11:07.838Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-16T07:39:50.799Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes it possible for unauthenticated attackers to modify the share_count post meta for any post, including private or draft posts."}], "id": "CVE-2026-0718", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T08:16:27.170", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/ultimate-post/tags/5.0.5/classes/Blocks.php&new_path=/ultimate-post/tags/5.0.6/classes/Blocks.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b2cf3b-5d35-4ce6-9453-1538a6f7752f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.0.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX", "source": "cna", "vendor": "wpxpo"}, "product": "post_grid_gutenberg_blocks_for_news,_magazines,_blog_websites_\u2013_postx", "vendor": "wpxpo"}], "analysis": {"en": {"generated_at": "2026-04-17T03:28:14.610630+00:00", "value": {"mitigation_remediation": ["Upgrade the Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX plugin to version 5.0.6 or later, which addresses the missing authorization check.", "If an immediate upgrade is not possible, disable the share count functionality or prevent public access to the ultp_shareCount_callback endpoint by either deactivating the plugin or restricting access through server configuration.", "Monitor WordPress logs for unusual activity involving the ultp_shareCount_callback endpoint to detect potential exploitation attempts."], "summary": {"action": "Patch Now", "impact": "Unauthorized modification of post meta data by unauthenticated users"}, "threat_synthesis": {"affected_systems": "WordPress users of the \"Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX\" plugin, with all versions up to and including 5.0.5, are affected. Updates beyond 5.0.5 are presumed to contain the fix.", "description_and_impact": "The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX plugin contains a missing capability check (CWE\u2011862) in the ultp_shareCount_callback() function, allowing any attacker to alter the share_count post meta of any post, including private or draft ones. This flaw compromises data integrity and can be used to manipulate engagement metrics.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.3, indicating moderate severity. EPSS information is unavailable and the issue is not listed in the CISA KEV catalog, so the likelihood of exploitation is unknown but potentially significant given the unauthenticated nature of the attack vector. Exploitation would involve sending crafted requests to the plugin\u2019s callback endpoint from an external source, requiring no special privileges."}}}}, "created": "2026-04-16T09:45:31.538908+00:00", "updated": "2026-04-17T03:30:08.601515+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpxpo", "wpxpo$PRODUCT$post_grid_gutenberg_blocks_for_news,_magazines,_blog_websites_\u2013_postx"]}