Cyber Resilience

CVE-2026-1273

High

Published: 04 March 2026

Published
04 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0002 3.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1273 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1273 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress. It impacts all versions up to and including 5.0.8 and is exploitable through the `/ultp/v3/starter_dummy_post/` and `/ultp/v3/starter_import_content/` REST API endpoints within the plugin's Importer.php class. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), highlighting its high severity due to network accessibility, low complexity, and scope change.

Authenticated attackers with Administrator-level access or higher can exploit this SSRF flaw to originate web requests from the WordPress server to arbitrary locations. This capability allows them to query and modify information from internal services that are not directly accessible from the internet, potentially leading to data leakage or unauthorized alterations within the victim's infrastructure.

References to the vulnerability point to specific code locations in the plugin's Importer.php file, including lines 196 and 261 in the 5.0.5 tag and trunk versions, as well as changeset 3469409 in the WordPress plugin repository. These indicate the vulnerable code paths and likely patch details, suggesting mitigation through updating to a version beyond 5.0.8 where the Importer class has been modified to address the SSRF issue.

EU & UK References

Vulnerability details

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.8 via the `/ultp/v3/starter_dummy_post/` and `/ultp/v3/starter_import_content/` REST API endpoints. This makes it…

more

possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing WordPress plugin REST endpoints directly enables exploitation of an internet-accessible application to reach internal services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918
CVE-2026-42352Shared CWE-918

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSRF by requiring validation of untrusted URL inputs supplied to the /ultp/v3/starter_* REST endpoints before any outbound requests are issued.

prevent

Enforces information-flow policy that prohibits the WordPress server process from initiating arbitrary connections to internal services on behalf of the plugin's Importer.php code.

prevent

Boundary-protection devices or proxies can be configured to block or inspect the unexpected outbound requests originating from the vulnerable plugin endpoints.

References