CVE-2026-0718
Unauthorized Data Modification in PostX WordPress Plugin via Missing Capability Check
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_postx | postx | to 5.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Post Grid Gutenberg Blocks for News, Magazines, Blog Websites β PostX plugin for WordPress, specifically in the ultp_shareCount_callback() function. Due to a missing capability check, unauthenticated attackers can modify the share_count post meta for any post, including private or draft posts.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to alter the share count data of posts on a WordPress site using the affected plugin. This unauthorized modification can affect the integrity of post metadata, potentially misleading users or administrators about the popularity or sharing status of content, including private or draft posts.