What the vulnerability does
01Description
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes.
Explanation of Vulnerability in Simple Terms
02Summary
The Post Grid Gutenberg Blocks plugin for WordPress does not properly check user permissions before allowing access to sensitive data. An unauthenticated attacker can read information that should be restricted, such as unpublished posts or private content. This affects all versions up to 5.0.3. Site administrators should update to a version newer than 5.0.3 as soon as it becomes available.
What an attacker can do
03Attacker Capabilities
Read restricted post data and private content without logging in.
Potential impact on your site
04Site Impact
Unpublished drafts, private posts, and other restricted content may be exposed to the public.
Conditions required to exploit
05Prerequisites
None. The attacker needs only network access; no authentication or user interaction required.
Key dates
06Disclosure timeline
December 21, 2025
CVE published
April 8, 2026
Record updated