CVE-2026-1273
Published: 04 March 2026
Summary
CVE-2026-1273 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1273 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress. It impacts all versions up to and including 5.0.8 and is exploitable through the `/ultp/v3/starter_dummy_post/` and `/ultp/v3/starter_import_content/` REST API endpoints within the plugin's Importer.php class. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), highlighting its high severity due to network accessibility, low complexity, and scope change.
Authenticated attackers with Administrator-level access or higher can exploit this SSRF flaw to originate web requests from the WordPress server to arbitrary locations. This capability allows them to query and modify information from internal services that are not directly accessible from the internet, potentially leading to data leakage or unauthorized alterations within the victim's infrastructure.
References to the vulnerability point to specific code locations in the plugin's Importer.php file, including lines 196 and 261 in the 5.0.5 tag and trunk versions, as well as changeset 3469409 in the WordPress plugin repository. These indicate the vulnerable code paths and likely patch details, suggesting mitigation through updating to a version beyond 5.0.8 where the Importer class has been modified to address the SSRF issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9349
Vulnerability details
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.8 via the `/ultp/v3/starter_dummy_post/` and `/ultp/v3/starter_import_content/` REST API endpoints. This makes it…
more
possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing WordPress plugin REST endpoints directly enables exploitation of an internet-accessible application to reach internal services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the SSRF by requiring validation of untrusted URL inputs supplied to the /ultp/v3/starter_* REST endpoints before any outbound requests are issued.
Enforces information-flow policy that prohibits the WordPress server process from initiating arbitrary connections to internal services on behalf of the plugin's Importer.php code.
Boundary-protection devices or proxies can be configured to block or inspect the unexpected outbound requests originating from the vulnerable plugin endpoints.