CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-13796: Post Grid and Gutenberg Blocks – ComboBlocks <= 2.3.6 - Unauthenticated User Information Exposure

5.3 CVSS

Description

The Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.6 via the /wp-json/post-grid/v2/get_users REST API This makes it possible for unauthenticated attackers to extract sensitive data including including emails and other user data.

Classification

CVE ID: CVE-2024-13796

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: pickplugins

Product: Post Grid and Gutenberg Blocks – ComboBlocks

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.58% (scored less or equal to compared to others)

EPSS Date: 2025-03-29 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-13796
https://www.wordfence.com/threat-intel/vulnerabilities/id/0407223a-cd41-43d1-87b0-d6b83b57d4b3?source=cve
https://plugins.trac.wordpress.org/browser/post-grid/trunk/includes/blocks/functions-rest.php?rev=3242718#L2055
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3245187%40post-grid&new=3245187%40post-grid&sfp_email=&sfph_mail=

Timeline

2025-02-28 05:40:10 UTC
CVE

Post Grid and Gutenberg Blocks – ComboBlocks <= 2.3.6 - Unauthenticated User Information Exposure