SB2025012951 - Privilege escalation in Post Grid and Gutenberg Blocks plugin for WordPress
Published: January 29, 2025
Security Bulletin ID
SB2025012951
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper privilege management (CVE-ID: CVE-2024-9636)
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to the affected plugin not properly restricting what user meta can be updated during profile registration. A remote attacker can register on the site as an administrator.
Remediation
Install update from vendor's website.
References
- https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.93/includes/blocks/form-wrap/functions.php#L3200
- https://plugins.trac.wordpress.org/changeset/3117675/post-grid/trunk/includes/blocks/form-wrap/functions.php
- https://plugins.trac.wordpress.org/changeset/3221012/post-grid/trunk/includes/blocks/form-wrap/functions.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1bbe01b8-24ed-4e1e-bafc-0f4dea96c1f3?source=cve