CVE-2024-0881

Combo Blocks < 2.2.76 - Unauthenticated Password Protected Posts Access

CVSS 5.4 MEDIUMEPSS 16.9%

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.4EPSS 16.9%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

11 Apr 2024Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not have proper authorization, resulting in password protected posts to be displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected products

Unknown · Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/e460e926-6e9b-4e9f-b908-ba5c9c7fb290/