प्लेटफ़ॉर्म
wordpress
घटक
post-grid
में ठीक किया गया
2.3.4
CVE-2024-9636 represents a critical privilege escalation vulnerability discovered in the Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress. This flaw allows unauthenticated attackers to register on a WordPress site with administrator privileges, granting them complete control over the system. The vulnerability impacts versions 2.2.85 through 2.3.3, and a patch is available from the vendor.
The impact of CVE-2024-9636 is severe. Successful exploitation allows an attacker to bypass authentication entirely and gain administrator access to the WordPress site. This grants them the ability to modify any content, install malicious plugins or themes, steal sensitive data (user credentials, financial information, customer data), and potentially compromise the entire server infrastructure. The attacker could also use the compromised site to launch further attacks against other systems or users. This vulnerability is particularly concerning given the widespread use of WordPress and the plugin's popularity.
CVE-2024-9636 was publicly disclosed on 2025-01-15. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests it is likely to be targeted. The high CVSS score indicates a significant risk, and it is prudent to assume active exploitation is possible. This vulnerability is not currently listed on the CISA KEV catalog.
Websites using the ComboBlocks plugin, particularly those with open user registration enabled, are at significant risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others. Sites with legacy WordPress configurations or those that haven't implemented robust security practices are particularly vulnerable.
• wordpress / composer / npm:
wp plugin list | grep ComboBlocks• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'update_user_meta' /var/www/html/wp-content/plugins/combo-blocks/• wordpress / composer / npm:
wp option get siteurl• wordpress / composer / npm:
wp option get homedisclosure
एक्सप्लॉइट स्थिति
EPSS
0.76% (73% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-9636 is to immediately upgrade the ComboBlocks plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration to prevent new administrator accounts from being created. While not a complete solution, implementing strict user role restrictions and regularly auditing user accounts can help limit the potential damage. Monitor WordPress logs for suspicious registration attempts.
पोस्ट ग्रिड और गुटेनबर्ग ब्लॉक्स प्लगइन को नवीनतम उपलब्ध संस्करण में अपडेट करें। यह उन अनधिकृत उपयोगकर्ताओं को व्यवस्थापक के रूप में पंजीकरण करने की अनुमति देने वाले विशेषाधिकार वृद्धि भेद्यता को ठीक कर देगा।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-9636 is a critical vulnerability allowing unauthenticated attackers to register as administrators in ComboBlocks WordPress plugin versions 2.2.85–2.3.3 due to improper user meta restrictions.
If you are using ComboBlocks plugin versions 2.2.85 through 2.3.3, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the ComboBlocks plugin to the latest available version. If upgrading is not possible, temporarily disable user registration until the upgrade can be performed.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests it is likely to be targeted. Proactive mitigation is recommended.
Refer to the ComboBlocks plugin website or WordPress.org plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।