Search criteria
6 vulnerabilities found for Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks by pickplugins
CVE-2024-3155 (GCVE-0-2024-3155)
Vulnerability from nvd – Published: 2024-05-21 02:32 – Updated: 2024-08-01 20:05
VLAI?
Title
Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks <= 2.2.80 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pickplugins | Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks |
Affected:
* , ≤ 2.2.80
(semver)
|
Credits
João Pedro Soares de Alcântara
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pickplugins:post_grid_combo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "post_grid_combo",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.80",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T14:22:35.180751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:03:13.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:07.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84bc611c-c38a-4282-9a9b-5bb9157fb1de?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3084503%40post-grid%2Ftrunk\u0026old=3078364%40post-grid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.80",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro Soares de Alc\u00e2ntara"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-21T02:32:59.318Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84bc611c-c38a-4282-9a9b-5bb9157fb1de?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3084503%40post-grid%2Ftrunk\u0026old=3078364%40post-grid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-20T14:10:56.000+00:00",
"value": "Disclosed"
}
],
"title": "Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks \u003c= 2.2.80 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3155",
"datePublished": "2024-05-21T02:32:59.318Z",
"dateReserved": "2024-04-01T19:45:47.411Z",
"dateUpdated": "2024-08-01T20:05:07.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7072 (GCVE-0-2023-7072)
Vulnerability from nvd – Published: 2024-03-12 22:32 – Updated: 2024-08-28 15:05
VLAI?
Summary
The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'get_posts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft posts and password protected posts, as well as the password for password-protected posts.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pickplugins | Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks |
Affected:
* , ≤ 2.2.68
(semver)
|
Credits
Hung -mov Nguyen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.113Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/feee3268-b384-400c-a76d-e5d7972c05b7?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.68/src/functions-rest.php#L1670"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.69/includes/blocks/functions-rest.php#L1670"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pickplugins:post_grid_combo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "post_grid_combo",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.68",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7072",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T15:36:42.992284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T15:05:17.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.68",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hung -mov Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Post Grid Combo \u2013 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the \u0027get_posts\u0027 REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft posts and password protected posts, as well as the password for password-protected posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-202 Exposure of Sensitive Data Through Data Queries",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T22:32:27.035Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/feee3268-b384-400c-a76d-e5d7972c05b7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.68/src/functions-rest.php#L1670"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.69/includes/blocks/functions-rest.php#L1670"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-12T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-7072",
"datePublished": "2024-03-12T22:32:27.035Z",
"dateReserved": "2023-12-21T22:09:26.886Z",
"dateUpdated": "2024-08-28T15:05:17.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6645 (GCVE-0-2023-6645)
Vulnerability from nvd – Published: 2024-01-11 08:32 – Updated: 2025-06-17 21:09
VLAI?
Summary
The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.2.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pickplugins | Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks |
Affected:
* , ≤ 2.2.64
(semver)
|
Credits
Rafshanzani Suhada
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.889Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab777672-6eef-4078-932d-24bb784107fa?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3010342%40post-grid%2Ftrunk\u0026old=2999466%40post-grid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6645",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-18T01:27:47.427238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:09:13.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.64",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafshanzani Suhada"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Post Grid Combo \u2013 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.2.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T08:32:49.663Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab777672-6eef-4078-932d-24bb784107fa?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3010342%40post-grid%2Ftrunk\u0026old=2999466%40post-grid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-07T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-12-11T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-12-15T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6645",
"datePublished": "2024-01-11T08:32:49.663Z",
"dateReserved": "2023-12-08T20:55:13.445Z",
"dateUpdated": "2025-06-17T21:09:13.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3155 (GCVE-0-2024-3155)
Vulnerability from cvelistv5 – Published: 2024-05-21 02:32 – Updated: 2024-08-01 20:05
VLAI?
Title
Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks <= 2.2.80 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pickplugins | Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks |
Affected:
* , ≤ 2.2.80
(semver)
|
Credits
João Pedro Soares de Alcântara
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pickplugins:post_grid_combo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "post_grid_combo",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.80",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T14:22:35.180751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:03:13.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:07.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84bc611c-c38a-4282-9a9b-5bb9157fb1de?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3084503%40post-grid%2Ftrunk\u0026old=3078364%40post-grid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.80",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro Soares de Alc\u00e2ntara"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-21T02:32:59.318Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84bc611c-c38a-4282-9a9b-5bb9157fb1de?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3084503%40post-grid%2Ftrunk\u0026old=3078364%40post-grid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-20T14:10:56.000+00:00",
"value": "Disclosed"
}
],
"title": "Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks \u003c= 2.2.80 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3155",
"datePublished": "2024-05-21T02:32:59.318Z",
"dateReserved": "2024-04-01T19:45:47.411Z",
"dateUpdated": "2024-08-01T20:05:07.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7072 (GCVE-0-2023-7072)
Vulnerability from cvelistv5 – Published: 2024-03-12 22:32 – Updated: 2024-08-28 15:05
VLAI?
Summary
The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'get_posts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft posts and password protected posts, as well as the password for password-protected posts.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pickplugins | Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks |
Affected:
* , ≤ 2.2.68
(semver)
|
Credits
Hung -mov Nguyen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.113Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/feee3268-b384-400c-a76d-e5d7972c05b7?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.68/src/functions-rest.php#L1670"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.69/includes/blocks/functions-rest.php#L1670"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pickplugins:post_grid_combo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "post_grid_combo",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.68",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7072",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T15:36:42.992284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T15:05:17.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.68",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hung -mov Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Post Grid Combo \u2013 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the \u0027get_posts\u0027 REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft posts and password protected posts, as well as the password for password-protected posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-202 Exposure of Sensitive Data Through Data Queries",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T22:32:27.035Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/feee3268-b384-400c-a76d-e5d7972c05b7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.68/src/functions-rest.php#L1670"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.69/includes/blocks/functions-rest.php#L1670"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-12T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-7072",
"datePublished": "2024-03-12T22:32:27.035Z",
"dateReserved": "2023-12-21T22:09:26.886Z",
"dateUpdated": "2024-08-28T15:05:17.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6645 (GCVE-0-2023-6645)
Vulnerability from cvelistv5 – Published: 2024-01-11 08:32 – Updated: 2025-06-17 21:09
VLAI?
Summary
The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.2.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pickplugins | Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks |
Affected:
* , ≤ 2.2.64
(semver)
|
Credits
Rafshanzani Suhada
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.889Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab777672-6eef-4078-932d-24bb784107fa?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3010342%40post-grid%2Ftrunk\u0026old=2999466%40post-grid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6645",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-18T01:27:47.427238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:09:13.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel \u2013 Combo Blocks",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.64",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafshanzani Suhada"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Post Grid Combo \u2013 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.2.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T08:32:49.663Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab777672-6eef-4078-932d-24bb784107fa?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3010342%40post-grid%2Ftrunk\u0026old=2999466%40post-grid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-07T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-12-11T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-12-15T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6645",
"datePublished": "2024-01-11T08:32:49.663Z",
"dateReserved": "2023-12-08T20:55:13.445Z",
"dateUpdated": "2025-06-17T21:09:13.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}