CVE-2024-9636

The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.93/includes/blocks/form-wrap/functions.php#L3200
https://plugins.trac.wordpress.org/changeset/3117675/post-grid/trunk/includes/blocks/form-wrap/functions.php
https://plugins.trac.wordpress.org/changeset/3221012/post-grid/trunk/includes/blocks/form-wrap/functions.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/1bbe01b8-24ed-4e1e-bafc-0f4dea96c1f3?source=cve

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El complemento Post Grid y Gutenberg Blocks para WordPress es vulnerable a la escalada de privilegios en las versiones 2.2.85 a 2.3.3. Esto se debe a que el complemento no restringe adecuadamente qué metadatos de usuario se pueden actualizar durante el registro del perfil. Esto hace posible que atacantes no autenticados se registren en el sitio como administradores.

15 Jan 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-15 10:15

Updated : 2026-06-17 08:24

NVD link : CVE-2024-9636

Mitre link : CVE-2024-9636

CVE.ORG link : CVE-2024-9636

JSON object : View

Products Affected

No product.

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2024-9636", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2024-9636", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2025-01-15T14:40:18.203516Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "pickplugins", "product": "Post Grid and Gutenberg Blocks \u2013 ComboBlocks", "versions": [{"status": "affected", "version": "2.2.85", "versionType": "semver", "lessThanOrEqual": "2.3.3"}], "defaultStatus": "unaffected"}]}], "published": "2025-01-15T10:15:08.607", "references": [{"url": "https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.93/includes/blocks/form-wrap/functions.php#L3200", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3117675/post-grid/trunk/includes/blocks/form-wrap/functions.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3221012/post-grid/trunk/includes/blocks/form-wrap/functions.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bbe01b8-24ed-4e1e-bafc-0f4dea96c1f3?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator."}, {"lang": "es", "value": "El complemento Post Grid y Gutenberg Blocks para WordPress es vulnerable a la escalada de privilegios en las versiones 2.2.85 a 2.3.3. Esto se debe a que el complemento no restringe adecuadamente qu\u00e9 metadatos de usuario se pueden actualizar durante el registro del perfil. Esto hace posible que atacantes no autenticados se registren en el sitio como administradores."}], "lastModified": "2026-06-17T08:24:57.740", "sourceIdentifier": "security@wordfence.com"}