WordPress Post Grid <=7.6.1: Authenticated Settings Tampering (rtTPGSaveSettings)
CVE-2024-3936 Published on May 2, 2024
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.6.1 - Missing Authorization
The The Post Grid Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions.
Timeline
Disclosed
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2024-3936 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2024-3936
Want to know whenever a new CVE is published for WordPress Post Grid Shortcode Gutenberg Blocks Elementor? stack.watch will email you.
Affected Versions
techlabpro1 The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid:- Before and including 7.6.1 is affected.
- Version -, <= 7.6.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.