WordPress Plugin Vulnerabilities

Post Grid Combo – 36+ Gutenberg Blocks < 2.2.69 - Information Exposure via get_posts API Endpoint

Description

The plugin is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'get_posts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft posts and password protected posts, as well as the password for password-protected posts.

Affects Plugins

Plugin icon
post-grid
Fixed in 2.2.69

References

CVE
CVE-2023-7072
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/feee3268-b384-400c-a76d-e5d7972c05b7

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Hung -mov Nguyen
Verified
No
WPVDB ID
ebd4170d-a677-4c40-954c-f56a3a62a7ea

Timeline

Publicly Published
2024-03-12 (about 2 years ago)
Added
2024-03-13 (about 2 years ago)
Last Updated
2024-03-13 (about 2 years ago)

Other

Published
Title
Published
2025-11-04
Title
File Manager for Google Drive – Integrate Google Drive with WordPress < 1.5.4 - Unauthenticated Sensitive Information Exposure
Published
2024-02-08
Title
Passster – Password Protect Pages and Content < 4.2.6.3 - Missing Authorization to Sensitive Information Exposure
Published
2024-12-18
Title
WP Project Manager < 2.6.16 - Authenticated (Subscriber+) Sensitive Information Exposure via Project Task List REST API
Published
2025-08-27
Title
Xagio SEO < 7.1.0.6 - Unauthenticated Sensitive Information Exposure via Unprotected Back-Up Files
Published
2025-04-03
Title
TailPress <= 0.4.4 - Unauthenticated Sensitive Information Exposure