Post Grid and Gutenberg Blocks – ComboBlocks < 2.3.7 – Unauthenticated User Information Exposure | CVE 2024-13796 | Plugin Vulnerabilities

Description

The Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.6 via the /wp-json/post-grid/v2/get_users REST API This makes it possible for unauthenticated attackers to extract sensitive data including including emails and other user data.

Affects Plugins

Fixed in 2.3.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0407223a-cd41-43d1-87b0-d6b83b57d4b3

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

183a3dad-f5cf-40ae-96d6-0bfca467e086

Timeline

Publicly Published

2025-02-27 (about 1 year ago)

Added

2025-02-27 (about 1 year ago)

Last Updated

2025-02-28 (about 1 year ago)

Other

Published

Title

Published

2025-09-22

Title

Helpie FAQ < 1.46 - Unauthenticated Sensitive Information Exposure

Published

2024-07-11

Title

WP Popups – WordPress Popup builder < 2.2.0.2 - Unauthenticated Full Path Disclosure

Published

2020-06-11

Title

WordPress < 5.4.2 - Disclosure of Password-Protected Page/Post Comments

Published

2025-01-16

Title

WM Options Import Export <= 1.0.1 - Unauthenticated Information Exposure

Published

2026-03-13

Title

Doofinder for WooCommerce < 2.10.14 - Unauthenticated Information Exposure