CVE-2024-13796
Published: 28 February 2025
Description
The Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.6 via the /wp-json/post-grid/v2/get_users REST API This makes it possible for unauthenticated attackers to extract sensitive data including including emails and other user data.
Security Summary
CVE-2024-13796 is a sensitive information exposure vulnerability (CWE-200) affecting the Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress in all versions up to and including 2.3.6. The issue resides in the /wp-json/post-grid/v2/get_users REST API endpoint, which improperly exposes user data. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. By sending requests to the affected REST API endpoint, they can extract sensitive user information, including email addresses and other user data, potentially enabling further phishing, spam, or targeted attacks on WordPress site users.
Advisories from Wordfence and the WordPress plugin repository provide details on mitigation. The Wordfence threat intelligence page documents the vulnerability, while WordPress Trac references show the vulnerable code in functions-rest.php at revision 3242718 (line 2055) and a patch applied in changeset 3245187 for the post-grid plugin repository. Security practitioners should update to a version beyond 2.3.6 and review access to REST API endpoints.
Details
- CWE(s)