Plataforma
wordpress
Componente
ultimate-post
Corregido en
5.0.9
CVE-2026-1273 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress. This vulnerability allows authenticated attackers with administrator-level access to initiate web requests to arbitrary locations, potentially exposing internal services and sensitive data. The vulnerability affects versions 0.0.0 through 5.0.8, and a patch is available in version 5.0.9.
The SSRF vulnerability in PostX allows an authenticated administrator to craft malicious requests through the /ultp/v3/starterdummypost/ and /ultp/v3/starterimportcontent/ REST API endpoints. This enables attackers to query and potentially modify data from internal services that the web application can access. Successful exploitation could lead to information disclosure, privilege escalation, or even remote code execution if internal services are vulnerable. The impact is amplified by the plugin's popularity, potentially affecting a large number of WordPress sites. While requiring administrator privileges, the ease of exploitation once access is gained presents a significant risk.
CVE-2026-1273 was publicly disclosed on 2026-03-04. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the SSRF nature of the vulnerability makes it relatively straightforward to exploit once administrator access is obtained.
WordPress websites utilizing the Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin, particularly those running versions 0.0.0 through 5.0.8, are at risk. Sites with weak password policies or compromised administrator accounts are especially vulnerable. Shared hosting environments where plugin updates are not consistently managed also face increased risk.
• wordpress / composer / npm:
grep -r 'ultp/v3/starter_dummy_post/' /var/www/html/wp-content/plugins/postx/• generic web:
curl -I https://your-wordpress-site.com/ultp/v3/starter_dummy_post/ | grep HTTP/1.1disclosure
Estado del Exploit
EPSS
0.04% (13% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-1273 is to immediately upgrade the PostX plugin to version 5.0.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Restrict access to the /ultp/v3/starterdummypost/ and /ultp/v3/starterimportcontent/ endpoints using a web application firewall (WAF) or proxy server, blocking requests from unauthorized sources. Review WordPress user roles and permissions to ensure the principle of least privilege is enforced. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoints and verifying that requests are blocked or properly sanitized.
Actualizar a la versión 5.0.9, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-1273 is a Server-Side Request Forgery vulnerability affecting the PostX WordPress plugin, allowing authenticated administrators to make arbitrary web requests.
You are affected if you are using PostX versions 0.0.0 through 5.0.8 and have administrator access.
Upgrade the PostX plugin to version 5.0.9 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability presents a potential risk.
Refer to the PostX plugin documentation and WordPress security announcements for the official advisory.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.