Sensitive Information Exposure Vulnerability Affects The Post Grid Combo Plugin
CVE-2023-7072

7.5HIGH

Key Information:

Vendor
Wordpress
Status
Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks
Vendor
CVE Published:
12 March 2024

Summary

The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress has a vulnerability that allows unauthenticated attackers to access sensitive data through the 'get_posts' REST API endpoint. This issue affects all versions up to and including 2.2.68, enabling unauthorized users to extract full draft posts, password-protected content, and the passwords for those protected posts. As a result, this vulnerability poses a significant risk to the confidentiality of user data and requires prompt remediation.

Affected Version(s)

Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks * <= 2.2.68

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/post-grid/tags...
https://plugins.trac.wordpress.org/browser/post-grid/tags...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hung -mov Nguyen
.