WordPress Plugin Vulnerabilities

Post Grid and Gutenberg Blocks 2.2.85 - 2.3.3 - Unauthenticated Privilege Escalation

Description

The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator.

Affects Plugins

Plugin icon
post-grid
Fixed in 2.3.4

References

CVE
CVE-2024-9636
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1bbe01b8-24ed-4e1e-bafc-0f4dea96c1f3

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
1d1e059e-e3ee-4c87-afc6-9e0cc34d6622

Timeline

Publicly Published
2025-01-14 (about 1 year ago)
Added
2025-01-14 (about 1 year ago)
Last Updated
2025-01-15 (about 1 year ago)

Other

Published
Title
Published
2025-04-17
Title
WPAMS <= 44.0 (17-08-2023) - Authenticated (Subscriber+) Privilege Escalation
Published
2024-09-10
Title
Post Grid and Gutenberg Blocks 2.2.87 - 2.2.90 - Subscriber+ Privilege Escalation
Published
2025-01-06
Title
School Management System <= 1.0.8 - Unauthenticated Privilege Escalation
Published
2024-04-25
Title
Barcode Scanner with Inventory & Order Manager < 1.5.4 - Unauthenticated Privilege Escalation
Published
2025-04-03
Title
Vehica Core < 1.0.98 - Authenticated (Subscriber+) Privilege Escalation