WordPress Plugin Vulnerabilities

Post Grid and Gutenberg Blocks < 2.3.6 - Unauthenticated Paid Order Creation

Description

The plugin is vulnerable to unauthorized order creation due to insufficient verification on form fields. This makes it possible for unauthenticated attackers to create new orders for products and mark them as paid without actually completing a payment.

Affects Plugins

Plugin icon
post-grid
Fixed in 2.3.6

References

CVE
CVE-2024-13798
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/705823ff-e9c3-4b8b-b71c-3b60d0d15b01

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
26e7a1ad-820e-45bc-9559-901d6a807d93

Timeline

Publicly Published
2025-02-21 (about 1 year ago)
Added
2025-02-22 (about 1 year ago)
Last Updated
2025-02-22 (about 1 year ago)

Other

Published
Title
Published
2025-03-24
Title
User Registration & Membership (Free < 4.1.2, Pro < 5.1.2) - Unauthenticated Privilege Escalation
Published
2024-04-24
Title
SP Project & Document Manager <= 4.71 - Subscriber+ File Download via IDOR
Published
2026-05-13
Title
MW WP Form < 5.1.3 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
Published
2023-04-03
Title
WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR
Published
2025-12-14
Title
Essential Real Estate <= 5.2.2 - Authenticated (ERE Customer+) Insecure Direct Object Reference