Plattform
wordpress
Komponente
post-grid
Behoben in
2.3.4
CVE-2024-9636 represents a critical privilege escalation vulnerability discovered in the Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress. This flaw allows unauthenticated attackers to register on a WordPress site with administrator privileges, granting them complete control over the system. The vulnerability impacts versions 2.2.85 through 2.3.3, and a patch is available from the vendor.
The impact of CVE-2024-9636 is severe. Successful exploitation allows an attacker to bypass authentication and gain full administrative access to the WordPress site. This grants them the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial records), and potentially compromise the entire server. The attacker could also use the compromised site to launch further attacks against other systems on the network, expanding the blast radius significantly. This vulnerability is particularly concerning given the widespread use of WordPress and the plugin's popularity.
CVE-2024-9636 was publicly disclosed on 2025-01-15. The vulnerability's ease of exploitation, combined with the plugin's popularity, suggests a high probability of exploitation. While no public proof-of-concept (PoC) has been released as of this writing, the simplicity of the attack vector makes it likely that one will emerge. It is advisable to treat this vulnerability with the utmost urgency and apply the patch as soon as possible.
Websites using the ComboBlocks plugin, particularly those with open user registration enabled, are at significant risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others. Sites with legacy WordPress configurations or those that haven't implemented robust security practices are particularly vulnerable.
• wordpress / composer / npm:
wp plugin list | grep ComboBlocks• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'update_user_meta' /var/www/html/wp-content/plugins/combo-blocks/• wordpress / composer / npm:
wp option get siteurl• wordpress / composer / npm:
wp option get homedisclosure
Exploit-Status
EPSS
0.76% (73% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-9636 is to immediately upgrade the ComboBlocks plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration on the WordPress site. Alternatively, implement stricter user registration validation rules to prevent the creation of administrator accounts through unauthorized means. Monitor WordPress logs for suspicious registration attempts, particularly those originating from unusual IP addresses. Review and strengthen WordPress security hardening practices, including limiting file permissions and regularly scanning for malware.
Aktualisieren Sie das Post Grid and Gutenberg Blocks Plugin auf die neueste verfügbare Version. Dies behebt die Privilege Escalation-Schwachstelle, die es nicht authentifizierten Benutzern ermöglicht, sich als Administratoren zu registrieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-9636 is a critical vulnerability allowing unauthenticated attackers to register as administrators in ComboBlocks WordPress plugin versions 2.2.85–2.3.3 due to improper user meta restrictions.
If you are using ComboBlocks plugin versions 2.2.85 through 2.3.3, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the ComboBlocks plugin to the latest available version. If upgrading is not possible, temporarily disable user registration until the upgrade can be performed.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests it is likely to be targeted. Proactive mitigation is recommended.
Refer to the ComboBlocks plugin website or WordPress.org plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.