{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wp-grid-builder-plugin--2.3.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-13756"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP Grid Builder plugin \u003c= 2.3.3"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","wordpress","plugin","cve"],"_cs_type":"advisory","_cs_vendors":["WP Grid Builder","WordPress"],"content_html":"\u003cp\u003eA critical privilege escalation vulnerability, tracked as CVE-2026-13756, exists in all versions up to and including 2.3.3 of the WP Grid Builder plugin for WordPress. This flaw stems from inadequate authorization checks and meta key validation within the \u003ccode\u003eupdate()\u003c/code\u003e handler of the \u003ccode\u003e/wp-json/wpgb/v2/metadata\u003c/code\u003e REST endpoint. Exploitation allows authenticated attackers, even those with low-privileged Subscriber accounts, to elevate their user privileges to Administrator level. By sending a specially crafted nested array payload that manipulates the \u003ccode\u003ewp_capabilities\u003c/code\u003e user meta, an attacker can bypass security controls and gain full control over the affected WordPress site. This vulnerability poses a significant risk to the integrity and security of WordPress installations utilizing the WP Grid Builder plugin, potentially leading to complete website compromise, data manipulation, or further malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker, possessing at least Subscriber-level privileges on a WordPress site, identifies the presence of the vulnerable WP Grid Builder plugin (version 2.3.3 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specific JSON payload designed to modify their \u003ccode\u003ewp_capabilities\u003c/code\u003e user meta, embedding a nested array structure within it.\u003c/li\u003e\n\u003cli\u003eThe attacker then sends an HTTP POST request targeting the \u003ccode\u003e/wp-json/wpgb/v2/metadata\u003c/code\u003e REST endpoint of the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eThe crafted JSON payload, containing the desired \u003ccode\u003ewp_capabilities\u003c/code\u003e modification, is included in the body of this HTTP POST request.\u003c/li\u003e\n\u003cli\u003eDue to missing authorization and insufficient meta key validation in the plugin's \u003ccode\u003eupdate()\u003c/code\u003e handler, the malicious request is processed without proper scrutiny.\u003c/li\u003e\n\u003cli\u003eThe plugin's functionality updates the attacker's \u003ccode\u003ewp_capabilities\u003c/code\u003e user meta with the values provided in the crafted payload.\u003c/li\u003e\n\u003cli\u003eAs a result, the attacker's user account is granted Administrator-level privileges, effectively escalating their access.\u003c/li\u003e\n\u003cli\u003eThe attacker now possesses full administrative control over the WordPress site, enabling further malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13756 leads directly to full administrative control over the compromised WordPress instance. This allows attackers to perform any action an administrator can, including installing malicious plugins, modifying theme files, injecting malware, defacing the website, stealing sensitive data, or redirecting site visitors to malicious domains. While no specific victim counts or targeted sectors are available, any WordPress site running the vulnerable WP Grid Builder plugin is at risk of complete compromise, potentially impacting business operations, user trust, and data privacy. The high CVSS score of 8.8 reflects the critical nature of this privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the WP Grid Builder plugin to the latest patched version to remediate CVE-2026-13756.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts targeting the \u003ccode\u003e/wp-json/wpgb/v2/metadata\u003c/code\u003e REST endpoint.\u003c/li\u003e\n\u003cli\u003eRegularly review webserver logs (specifically for the \u003ccode\u003e/wp-json/wpgb/v2/metadata\u003c/code\u003e endpoint) for unusual POST requests, particularly those from low-privileged users, and tune the detection rule to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T02:17:38Z","date_published":"2026-07-11T02:17:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-privilege-escalation-wp-grid-builder/","summary":"An authenticated attacker with Subscriber-level access or higher can exploit a missing authorization and meta key validation vulnerability in the WP Grid Builder plugin for WordPress (versions up to and including 2.3.3) by sending a crafted nested array payload to the `/wp-json/wpgb/v2/metadata` REST endpoint, which allows them to update their own `wp_capabilities` user meta and effectively escalate their privileges to Administrator level.","title":"CVE-2026-13756 - Privilege Escalation in WP Grid Builder WordPress Plugin","url":"https://feed.craftedsignal.io/briefs/2026-07-privilege-escalation-wp-grid-builder/"}],"language":"en","title":"CraftedSignal Threat Feed - WP Grid Builder Plugin \u003c= 2.3.3","version":"https://jsonfeed.org/version/1.1"}