CVE-2024-5326 - Vulnerability Details - OpenCVE

The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.52926.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L160
https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L177
https://plugins.trac.wordpress.org/changeset/3093815/
https://www.wordfence.com/threat-intel/vulnerabilities/id/07a3db33-3787-4b63-835d-8e3026206842?source=cve

History

Wed, 08 Apr 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-862

Thu, 26 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.47918}`	epss `{'score': 0.52703}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-30T10:59:29.483Z

Updated: 2026-04-08T16:34:02.520Z

Reserved: 2024-05-24T16:37:41.847Z

Link: CVE-2024-5326

Vulnrichment

Updated: 2024-08-01T21:11:12.432Z

NVD

Status : Awaiting Analysis

Published: 2024-05-30T11:15:30.970

Modified: 2026-04-08T17:19:01.780

Link: CVE-2024-5326

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-5326", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-05-24T16:37:41.847Z", "datePublished": "2024-05-30T10:59:29.483Z", "dateUpdated": "2026-04-08T16:34:02.520Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:02.520Z"}, "affected": [{"vendor": "wpxpo", "product": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Grid Gutenberg Blocks and WordPress Blog Plugin \u2013 PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator."}], "title": "Post Grid Gutenberg Blocks and WordPress Blog Plugin \u2013 PostX <= 4.1.2 - Missing Authorization to Arbitrary Options Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07a3db33-3787-4b63-835d-8e3026206842?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L177"}, {"url": "https://plugins.trac.wordpress.org/changeset/3093815/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "AmrAwad"}], "timeline": [{"time": "2024-05-29T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-04T15:26:53.899779Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:01:47.927Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.432Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07a3db33-3787-4b63-835d-8e3026206842?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L160", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L177", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3093815/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07a3db33-3787-4b63-835d-8e3026206842?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L160", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L177", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3093815/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.432Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-04T15:26:53.899779Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T15:26:57.287Z"}}], "cna": {"title": "Post Grid Gutenberg Blocks and WordPress Blog Plugin \u2013 PostX <= 4.1.2 - Missing Authorization to Arbitrary Options Update", "credits": [{"lang": "en", "type": "finder", "value": "AmrAwad"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "wpxpo", "product": "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites \u2013 PostX", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-05-29T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07a3db33-3787-4b63-835d-8e3026206842?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L177"}, {"url": "https://plugins.trac.wordpress.org/changeset/3093815/"}], "descriptions": [{"lang": "en", "value": "The Post Grid Gutenberg Blocks and WordPress Blog Plugin \u2013 PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:02.520Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5326", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:02.520Z", "dateReserved": "2024-05-24T16:37:41.847Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-30T10:59:29.483Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Grid Gutenberg Blocks and WordPress Blog Plugin \u2013 PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator."}, {"lang": "es", "value": "El complemento The Post Grid Gutenberg Blocks and WordPress Blog Plugin \u2013 PostX de WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'postx_presets_callback' en todas las versiones hasta la 4.1.2 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, cambien opciones arbitrarias en los sitios afectados. Esto se puede utilizar para habilitar el registro de nuevos usuarios y establecer la funci\u00f3n predeterminada para los nuevos usuarios en Administrador."}], "id": "CVE-2024-5326", "lastModified": "2026-04-08T17:19:01.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-05-30T11:15:30.970", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L160"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L177"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3093815/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07a3db33-3787-4b63-835d-8e3026206842?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L160"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/ultimate-post/trunk/classes/Styles.php#L177"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset/3093815/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07a3db33-3787-4b63-835d-8e3026206842?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}