<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>WP Grid Builder Plugin &lt;= 2.3.3 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/wp-grid-builder-plugin--2.3.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 02:17:38 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/wp-grid-builder-plugin--2.3.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-13756 - Privilege Escalation in WP Grid Builder WordPress Plugin</title><link>https://feed.craftedsignal.io/briefs/2026-07-privilege-escalation-wp-grid-builder/</link><pubDate>Sat, 11 Jul 2026 02:17:38 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-privilege-escalation-wp-grid-builder/</guid><description>An authenticated attacker with Subscriber-level access or higher can exploit a missing authorization and meta key validation vulnerability in the WP Grid Builder plugin for WordPress (versions up to and including 2.3.3) by sending a crafted nested array payload to the `/wp-json/wpgb/v2/metadata` REST endpoint, which allows them to update their own `wp_capabilities` user meta and effectively escalate their privileges to Administrator level.</description><content:encoded><![CDATA[<p>A critical privilege escalation vulnerability, tracked as CVE-2026-13756, exists in all versions up to and including 2.3.3 of the WP Grid Builder plugin for WordPress. This flaw stems from inadequate authorization checks and meta key validation within the <code>update()</code> handler of the <code>/wp-json/wpgb/v2/metadata</code> REST endpoint. Exploitation allows authenticated attackers, even those with low-privileged Subscriber accounts, to elevate their user privileges to Administrator level. By sending a specially crafted nested array payload that manipulates the <code>wp_capabilities</code> user meta, an attacker can bypass security controls and gain full control over the affected WordPress site. This vulnerability poses a significant risk to the integrity and security of WordPress installations utilizing the WP Grid Builder plugin, potentially leading to complete website compromise, data manipulation, or further malicious activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker, possessing at least Subscriber-level privileges on a WordPress site, identifies the presence of the vulnerable WP Grid Builder plugin (version 2.3.3 or earlier).</li>
<li>The attacker crafts a specific JSON payload designed to modify their <code>wp_capabilities</code> user meta, embedding a nested array structure within it.</li>
<li>The attacker then sends an HTTP POST request targeting the <code>/wp-json/wpgb/v2/metadata</code> REST endpoint of the vulnerable WordPress site.</li>
<li>The crafted JSON payload, containing the desired <code>wp_capabilities</code> modification, is included in the body of this HTTP POST request.</li>
<li>Due to missing authorization and insufficient meta key validation in the plugin's <code>update()</code> handler, the malicious request is processed without proper scrutiny.</li>
<li>The plugin's functionality updates the attacker's <code>wp_capabilities</code> user meta with the values provided in the crafted payload.</li>
<li>As a result, the attacker's user account is granted Administrator-level privileges, effectively escalating their access.</li>
<li>The attacker now possesses full administrative control over the WordPress site, enabling further malicious actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-13756 leads directly to full administrative control over the compromised WordPress instance. This allows attackers to perform any action an administrator can, including installing malicious plugins, modifying theme files, injecting malware, defacing the website, stealing sensitive data, or redirecting site visitors to malicious domains. While no specific victim counts or targeted sectors are available, any WordPress site running the vulnerable WP Grid Builder plugin is at risk of complete compromise, potentially impacting business operations, user trust, and data privacy. The high CVSS score of 8.8 reflects the critical nature of this privilege escalation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the WP Grid Builder plugin to the latest patched version to remediate CVE-2026-13756.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts targeting the <code>/wp-json/wpgb/v2/metadata</code> REST endpoint.</li>
<li>Regularly review webserver logs (specifically for the <code>/wp-json/wpgb/v2/metadata</code> endpoint) for unusual POST requests, particularly those from low-privileged users, and tune the detection rule to reduce false positives.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>wordpress</category><category>plugin</category><category>cve</category></item></channel></rss>