WP-Safety

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Security & Risk Analysis

wordpress.org/plugins/the-post-grid

Display WordPress posts in beautiful grid, list, slider, and filter layouts. Works with Gutenberg, Elementor, Divi, and Shortcodes.

100K active installs v7.8.9 PHP 7.4+ WP 4.5+ Updated Feb 16, 2026
content-gridpost-displaypost-gridpost-grid-elementor-addonpost-slider
96
A · Safe
CVEs total11
Unpatched0
Last CVEMar 27, 2025
Plugin page Download
Safety Verdict

Is The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Safe to Use in 2026?

Generally Safe

Score 96/100

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Mar 27, 2025Updated 1mo ago
Risk Assessment

The security posture of "the-post-grid" v7.8.9 presents a mixed picture, with some strong security practices offset by significant concerns. The plugin demonstrates good habits in its use of prepared statements for SQL queries and proper output escaping, with a very high percentage of both. The presence of nonce checks and capability checks also indicates an awareness of security fundamentals. However, the presence of two AJAX handlers without authentication checks is a notable weakness, creating a direct attack vector for unauthorized actions. The use of the `unserialize` function, while only present once, is a critical function known for its potential to introduce vulnerabilities if used with untrusted input. Taint analysis did not reveal any critical or high severity flows, which is a positive sign, suggesting that internal data handling may be reasonably secure. The plugin's vulnerability history, however, is a significant red flag. With 11 known CVEs, and past vulnerabilities including Remote File Inclusion, Information Exposure, Missing Authorization, Cross-Site Scripting, and CSRF, there's a clear pattern of recurring security flaws. Although no currently unpatched CVEs were identified, the sheer volume and diversity of past issues suggest a historical tendency towards exploitable vulnerabilities. The most recent vulnerability recorded in 2025 indicates that the plugin has had security issues identified relatively recently, further emphasizing the need for vigilance. In conclusion, while "the-post-grid" v7.8.9 exhibits strengths in its output escaping and prepared statements, the critical risk posed by unprotected AJAX endpoints and the extensive history of diverse and serious vulnerabilities necessitate caution. Developers should prioritize addressing the unprotected AJAX handlers and consider a thorough code audit to prevent the recurrence of past vulnerability types.

Key Concerns

  • 2 AJAX handlers without auth checks
  • Use of dangerous function: unserialize
  • Total known CVEs: 11
  • Vulnerability history includes critical types
Vulnerabilities
11

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
8 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
10

11 total CVEs

CVE-2025-30814high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The Post Grid <= 7.7.17 - Authenticated (Contributor+) Local File Inclusion

Mar 27, 2025 Patched in 7.7.18 (8d)
CVE-2024-3635medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The Post Grid <= 7.4.3 - Authenticated (Editor+) Stored Cross-Site Scripting

Sep 9, 2024 Patched in 7.5.0 (25d)
CVE-2024-7418medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

The Post Grid <= 7.7.11 - Authenticated (Contributor+) Information Disclosure

Aug 28, 2024 Patched in 7.7.12 (1d)
CVE-2024-37483medium · 4.3Missing Authorization

The Post Grid <= 7.7.4 - Missing Authorization via save_block_css

Jul 4, 2024 Patched in 7.7.5 (7d)
CVE-2024-37482medium · 4.3Missing Authorization

The Post Grid <= 7.7.4 - Missing Authorization via AJAX

Jul 4, 2024 Patched in 7.7.5 (7d)
CVE-2024-37481medium · 5.3Missing Authorization

The Post Grid <= 7.7.4 - Missing Authorization via REST API

Jul 4, 2024 Patched in 7.7.5 (7d)
CVE-2024-1427medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The Post Grid <= 7.7.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via section title tag

Jul 1, 2024 Patched in 7.7.2 (1d)
CVE-2024-35739medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 6, 2024 Patched in 7.7.2 (8d)
CVE-2024-3936medium · 4.3Missing Authorization

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.6.1 - Missing Authorization

Apr 30, 2024 Patched in 7.7.0 (3d)
CVE-2023-39923medium · 4.3Cross-Site Request Forgery (CSRF)

The Post Grid <= 7.2.7 - Cross-Site Request Forgery

Aug 7, 2023 Patched in 7.2.8 (169d)
CVE-2022-46853medium · 4.3Cross-Site Request Forgery (CSRF)

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 5.0.4 - Cross-Site Request Forgery in rttpg_spare_me

Feb 20, 2023 Patched in 5.0.5 (337d)
Code Analysis
Analyzed Mar 16, 2026

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
6 prepared
Unescaped Output
57
1489 escaped
Nonce Checks
13
Capability Checks
27
File Operations
4
External Requests
4
Bundled Libraries
1

Dangerous Functions Found

unserialize$c = $group->post_content ? unserialize( $group->post_content ) : [];app\Helpers\Fns.php:3211

Bundled Libraries

Select2

SQL Query Safety

86% prepared7 total queries

Output Escaping

96% escaped1546 total outputs
Data Flows
All sanitized

Data Flow Analysis

5 flows
rtTPGSaveSettings (app\Controllers\AjaxController.php:139)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Attack Surface

Entry Points30
Unprotected2

AJAX Handlers 20

authwp_ajax_tpgPreviewAjaxCallapp\Controllers\Admin\AdminAjaxController.php:35
authwp_ajax_rttpg_dismiss_black_friday_noticeapp\Controllers\Admin\Notice\BlackFriday.php:33
authwp_ajax_dismiss_eid_noticeapp\Controllers\Admin\Notice\EidSpecial.php:25
authwp_ajax_dismiss_summer_noticeapp\Controllers\Admin\Notice\SummerSale.php:25
authwp_ajax_rtTPGSettingsapp\Controllers\AjaxController.php:28
authwp_ajax_rtTPGShortCodeListapp\Controllers\AjaxController.php:29
authwp_ajax_rtTPGTaxonomyListByPostTypeapp\Controllers\AjaxController.php:30
authwp_ajax_rtTPGIsotopeFilterapp\Controllers\AjaxController.php:31
authwp_ajax_rtTPGTermListByTaxonomyapp\Controllers\AjaxController.php:32
authwp_ajax_defaultFilterItemapp\Controllers\AjaxController.php:33
authwp_ajax_getCfGroupListAsFieldapp\Controllers\AjaxController.php:34
authwp_ajax_rttpg_block_css_saveapp\Controllers\BlocksController.php:41
authwp_ajax_rttpg_block_css_get_postsapp\Controllers\BlocksController.php:42
authwp_ajax_rttpg_block_css_appendedapp\Controllers\BlocksController.php:43
authwp_ajax_rttpg_get_layoutsapp\Controllers\BlocksController.php:44
authwp_ajax_rttpg_guten_layout_countapp\Controllers\BlocksController.php:45
authwp_ajax_rttpg_get_el_layoutsapp\Controllers\ElementorController.php:52
authwp_ajax_rttpg_el_layout_countapp\Controllers\ElementorController.php:53
authwp_ajax_install_pluginapp\Controllers\Hooks\InstallPlugins.php:34
authwp_ajax_activate_pluginapp\Controllers\Hooks\InstallPlugins.php:89

REST API Routes 9

GET/wp-json/rttpg/v1acfapp\Controllers\Api\ACFV1.php:13
POST/wp-json/rttpg/v1elimportapp\Controllers\Api\ElImport.php:13
POST/wp-json/rttpg/v1filterapp\Controllers\Api\FrontEndFilterV1.php:13
POST/wp-json/rttpg/v1builderapp\Controllers\Api\GetBuilderData.php:15
POST/wp-json/rttpg/v1categoriesapp\Controllers\Api\GetCategories.php:12
POST/wp-json/rttpg/v1queryapp\Controllers\Api\GetPostsV1.php:14
GET/wp-json/rttpg/v1termsapp\Controllers\Api\GetTermObject.php:13
POST/wp-json/rttpg/v1tickerqueryapp\Controllers\Api\GetTickerPostsV1.php:14
GET/wp-json/rttpg/v1image-sizeapp\Controllers\Api\ImageSizeV1.php:13

Shortcodes 1

[the-post-grid] app\Controllers\ShortcodeController.php:27
WordPress Hooks 100
filterposts_clausesapp\Controllers\Admin\AdminAjaxController.php:244
actionadmin_headapp\Controllers\Admin\MetaController.php:28
actionedit_form_after_titleapp\Controllers\Admin\MetaController.php:29
actionadmin_enqueue_scriptsapp\Controllers\Admin\MetaController.php:30
actionsave_postapp\Controllers\Admin\MetaController.php:31
filtermanage_edit-rttpg_columnsapp\Controllers\Admin\MetaController.php:32
actionmanage_rttpg_posts_custom_columnapp\Controllers\Admin\MetaController.php:33
actioncreated_termapp\Controllers\Admin\MetaController.php:34
actionadmin_noticesapp\Controllers\Admin\Notice\BlackFriday.php:31
actionadmin_footerapp\Controllers\Admin\Notice\BlackFriday.php:32
actionadmin_noticesapp\Controllers\Admin\Notice\EidSpecial.php:24
actionadmin_noticesapp\Controllers\Admin\Notice\LoadResourceType.php:24
actionadmin_noticesapp\Controllers\Admin\Notice\Review.php:31
actionadmin_initapp\Controllers\Admin\Notice\Review.php:32
actionadmin_headapp\Controllers\Admin\Notice\Review.php:33
actionadmin_noticesapp\Controllers\Admin\Notice\SummerSale.php:24
actioninitapp\Controllers\Admin\PostTypeController.php:23
actionadmin_initapp\Controllers\Admin\PostTypeController.php:24
actionadmin_menuapp\Controllers\Admin\SettingsController.php:36
actionadmin_enqueue_scriptsapp\Controllers\Admin\SettingsController.php:38
actionwp_print_stylesapp\Controllers\Admin\SettingsController.php:39
actionadmin_footerapp\Controllers\Admin\SettingsController.php:40
actionadmin_headapp\Controllers\Admin\SettingsController.php:41
filtermce_external_pluginsapp\Controllers\Admin\SettingsController.php:55
filtermce_buttonsapp\Controllers\Admin\SettingsController.php:56
filterplugin_row_metaapp\Controllers\Admin\UpgradeController.php:33
actionadmin_noticesapp\Controllers\Admin\UpgradeController.php:59
actionrest_api_initapp\Controllers\Api\ACFV1.php:9
actionrest_api_initapp\Controllers\Api\ElImport.php:9
actionrest_api_initapp\Controllers\Api\FrontEndFilterV1.php:9
actionrest_api_initapp\Controllers\Api\GetBuilderData.php:11
actionrest_api_initapp\Controllers\Api\GetCategories.php:8
actionrest_api_initapp\Controllers\Api\GetPostsV1.php:10
actionrest_api_initapp\Controllers\Api\GetTermObject.php:9
actionrest_api_initapp\Controllers\Api\GetTickerPostsV1.php:10
actionrest_api_initapp\Controllers\Api\ImageSizeV1.php:9
actionrest_api_initapp\Controllers\Api\RestApi.php:15
actionwp_footerapp\Controllers\Blocks\BlockBase.php:34
actioninitapp\Controllers\Blocks\GridHoverLayout.php:17
actioninitapp\Controllers\Blocks\GridLayout.php:20
actioninitapp\Controllers\Blocks\ListLayout.php:19
actioninitapp\Controllers\Blocks\RttpgRow.php:10
actioninitapp\Controllers\Blocks\SectionTitle.php:13
actionenqueue_block_editor_assetsapp\Controllers\BlocksController.php:29
actionwp_enqueue_scriptsapp\Controllers\BlocksController.php:32
actionenqueue_block_editor_assetsapp\Controllers\BlocksController.php:33
filterblock_categories_allapp\Controllers\BlocksController.php:36
filterblock_categoriesapp\Controllers\BlocksController.php:38
actionwp_enqueue_scriptsapp\Controllers\BlocksController.php:50
actionwp_headapp\Controllers\BlocksController.php:52
actionwp_enqueue_scriptsapp\Controllers\DiviController.php:44
actionet_builder_readyapp\Controllers\DiviController.php:45
actionwp_enqueue_scriptsapp\Controllers\DiviController.php:46
actionadmin_headapp\Controllers\DiviController.php:47
actionwp_headapp\Controllers\DiviController.php:48
actionelementor/widgets/registerapp\Controllers\ElementorController.php:44
actionelementor/elements/categories_registeredapp\Controllers\ElementorController.php:45
actionelementor/editor/after_enqueue_scriptsapp\Controllers\ElementorController.php:46
actionwp_footerapp\Controllers\ElementorController.php:47
actionwp_enqueue_scriptsapp\Controllers\ElementorController.php:48
filterelementor/editor/localize_settingsapp\Controllers\ElementorController.php:49
actionelementor/editor/after_enqueue_scriptsapp\Controllers\ElementorController.php:51
actionenqueue_block_assetsapp\Controllers\GutenBergController.php:19
actionenqueue_block_editor_assetsapp\Controllers\GutenBergController.php:20
actionpre_get_postsapp\Controllers\Hooks\ActionHooks.php:28
filterpost_row_actionsapp\Controllers\Hooks\ActionHooks.php:29
filterpage_row_actionsapp\Controllers\Hooks\ActionHooks.php:30
filtertpg_author_argapp\Controllers\Hooks\FilterHooks.php:31
filterplugin_row_metaapp\Controllers\Hooks\FilterHooks.php:32
filterthe_contentapp\Controllers\Hooks\FilterHooks.php:37
filterwpapp\Controllers\Hooks\FilterHooks.php:40
filterbody_classapp\Controllers\Hooks\FilterHooks.php:41
filteradmin_body_classapp\Controllers\Hooks\FilterHooks.php:42
filterwp_kses_allowed_htmlapp\Controllers\Hooks\FilterHooks.php:43
filtertpg_sc_query_argsapp\Controllers\Hooks\FilterHooks.php:46
filtertpg_sc_temp_query_argsapp\Controllers\Hooks\FilterHooks.php:47
actionadmin_headapp\Controllers\Hooks\InstallPlugins.php:114
filtertemplate_includeapp\Controllers\PageTemplateController.php:21
actionwp_headapp\Controllers\ScriptController.php:42
actionadmin_headapp\Controllers\ScriptController.php:43
actionwp_enqueue_scriptsapp\Controllers\ScriptController.php:44
actioninitapp\Controllers\ScriptController.php:45
actionpre_get_postsapp\Controllers\ShortcodeController.php:28
actionwp_footerapp\Controllers\ShortcodeController.php:1285
actionwidgets_initapp\Controllers\WidgetController.php:25
actionwp_footerapp\Helpers\DiviFns.php:579
filterimage_resize_dimensionsapp\Models\ReSizer.php:88
actionplugins_loadedapp\RtTpg.php:172
actioninitapp\RtTpg.php:173
filterwp_calculate_image_srcsetapp\RtTpg.php:185
actionwp_footerapp\Widgets\elementor\widgets\grid-hover-layout-archive.php:165
actionwp_footerapp\Widgets\elementor\widgets\grid-hover-layout.php:172
actionwp_footerapp\Widgets\elementor\widgets\grid-layout-archive.php:158
actionwp_footerapp\Widgets\elementor\widgets\grid-layout.php:167
actionwp_footerapp\Widgets\elementor\widgets\list-layout-archive.php:164
actionwp_footerapp\Widgets\elementor\widgets\list-layout.php:167
actionwp_footerapp\Widgets\elementor\widgets\post-timeline.php:507
actionwp_footerapp\Widgets\elementor\widgets\related-post.php:189
actionwp_footerapp\Widgets\elementor\widgets\slider-layout-archive.php:168
actionwp_footerapp\Widgets\elementor\widgets\slider-layout.php:166

Scheduled Events 1

rttpg_daily_scheduled_events
Maintenance & Trust

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 16, 2026
PHP min version7.4
Downloads3.2M

Community Trust

Rating94/100
Number of ratings258
Active installs100K
Alternatives

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Alternatives

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

ultimate-post

A
88

A highly customizable plugin to create news, magazines, and any kind of blog site with post grid, post filter, post slider, and post blocks.

40K 23 CVEs
Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News

Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News

blog-designer-pack

A
94

News & Blog plugin for post grid, post slider, post carousel, post filter, masonry, ticker & list category posts using shortcode, Elementor & Divi.

30K 3 CVEs
AnWP Post Grid and Post Carousel Slider for Elementor

AnWP Post Grid and Post Carousel Slider for Elementor

anwp-post-grid-for-elementor

A
92

Easily create awesome post grids and post carousel sliders. Different widget types, powerful filters, "load more" button and many customizab &hellip;

20K No CVEs
Advanced Post Block – Showcase Posts with Grid, List, Card Layouts and Filters

Advanced Post Block – Showcase Posts with Grid, List, Card Layouts and Filters

advanced-post-block

A
99

Advanced Post Block lets you add dynamic post grids, lists, sliders, and tickers. Filter content by category, tag, author, or custom post type.

10K 1 CVE
Display Post Types – Post Grid, post list and post sliders

Display Post Types – Post Grid, post list and post sliders

display-post-types

A
100

Display list of posts, pages or any custom post types anywhere using block and widget. Show as grid, list or posts slider.

6K No CVEs
Developer Profile

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Developer Profile

RadiusTheme

16 plugins · 213K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
104 days
View full developer profile
Detection Fingerprints

How We Detect The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/the-post-grid/app/public/js/tpg-public.min.js/wp-content/plugins/the-post-grid/app/public/css/tpg-public.min.css/wp-content/plugins/the-post-grid/app/admin/css/rt-tpg-admin.css/wp-content/plugins/the-post-grid/app/admin/css/rt-tpg-admin-preview.css/wp-content/plugins/the-post-grid/app/admin/js/rt-tpg-admin.js/wp-content/plugins/the-post-grid/app/admin/js/rt-tpg-admin-preview.js
Script Paths
/wp-content/plugins/the-post-grid/app/public/js/tpg-public.min.js/wp-content/plugins/the-post-grid/app/admin/js/rt-tpg-admin.js/wp-content/plugins/the-post-grid/app/admin/js/rt-tpg-admin-preview.js
Version Parameters
the-post-grid/the-post-grid.php

HTML / DOM Fingerprints

CSS Classes
rt-code-scrt-select2rt-tpg-adminrt-tpg-admin-previewrt-after-titlert-document-boxrt-update-pro-btn-wraprt-update-pro-btn+4 more
Data Attributes
rt-code-sc
JS Globals
rttpg
Shortcode Output
[the-post-grid id=[the-post-grid id=
FAQ

Frequently Asked Questions about The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid