A high-severity vulnerability has been identified in the PostX WordPress plugin, which could allow unauthorized individuals to access data. The flaw stems from a missing security check in a specific API endpoint, enabling unauthenticated attackers to retrieve potentially sensitive information from the website. Organizations using this plugin are at risk of data leakage, which could expose private content or other non-public information.

This vulnerability is an Insecure Direct Object Reference (IDOR) caused by a missing capability check on the /ultp/v2/get_dynamic_content/ REST API endpoint. A capability check is a standard WordPress security function that verifies if a user has the necessary permissions to access specific data or perform an action. Because this check is absent, the endpoint fails to validate user authorization, allowing any unauthenticated attacker to craft a direct request to this endpoint to access and retrieve data that should be restricted, such as draft posts, private pages, or other custom content types.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to a significant data breach, resulting in the unauthorized disclosure of sensitive or confidential information not intended for public viewing. The specific risks to an organization include reputational damage from leaked private data, loss of competitive advantage if proprietary information is exposed, and potential non-compliance with data privacy regulations (e.g., GDPR, CCPA) if personal data is compromised.

Immediate Action: Immediately update the "Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX" plugin to the latest patched version provided by the vendor. If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface entirely.

Proactive Monitoring: Monitor web server access logs for an unusual number of requests to the /wp-json/ultp/v2/get_dynamic_content/ endpoint, particularly from unidentified or suspicious IP addresses. A sudden spike in traffic to this URL could indicate scanning or active exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block all external access to the vulnerable /ultp/v2/get_dynamic_content/ endpoint. Alternatively, temporarily disabling the PostX plugin will also mitigate the threat until a patch can be applied.

Public Exploit Available: false

We strongly recommend that all organizations using the affected PostX plugin prioritize the immediate application of the security update. Given the High severity (CVSS 7.5) and the simplicity of exploiting this unauthenticated information disclosure vulnerability, the risk of a data breach is substantial. Although this CVE is not currently on the CISA KEV list, its characteristics make it an attractive target for widespread, automated attacks against vulnerable WordPress sites.