Platform
wordpress
Component
ultimate-post
Fixed in
5.0.9
CVE-2026-1273 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress. This vulnerability allows authenticated attackers with administrator-level access to initiate web requests to arbitrary locations, potentially exposing internal services and sensitive data. The vulnerability affects versions 0.0.0 through 5.0.8, and a patch is available in version 5.0.9.
The SSRF vulnerability in PostX allows an authenticated administrator to craft malicious requests through the /ultp/v3/starterdummypost/ and /ultp/v3/starterimportcontent/ REST API endpoints. This enables attackers to query and potentially modify data from internal services that the web application can access. Successful exploitation could lead to information disclosure, privilege escalation, or even remote code execution if internal services are vulnerable. The impact is amplified by the plugin's popularity, potentially affecting a large number of WordPress sites. While requiring administrator privileges, the ease of exploitation once access is gained presents a significant risk.
CVE-2026-1273 was publicly disclosed on 2026-03-04. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the SSRF nature of the vulnerability makes it relatively straightforward to exploit once administrator access is obtained.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1273 is to immediately upgrade the PostX plugin to version 5.0.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Restrict access to the /ultp/v3/starterdummypost/ and /ultp/v3/starterimportcontent/ endpoints using a web application firewall (WAF) or proxy server, blocking requests from unauthorized sources. Review WordPress user roles and permissions to ensure the principle of least privilege is enforced. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoints and verifying that requests are blocked or properly sanitized.
Update to version 5.0.9, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1273 is a Server-Side Request Forgery vulnerability affecting the PostX WordPress plugin, allowing authenticated administrators to make arbitrary web requests.
You are affected if you are using PostX versions 0.0.0 through 5.0.8 and have administrator access.
Upgrade the PostX plugin to version 5.0.9 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability presents a potential risk.
Refer to the PostX plugin documentation and WordPress security announcements for the official advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.