Post Grid and Gutenberg Blocks - ComboBlocks Sensitive Information Exposure Vulnerability

A vulnerability allowing the exposure of sensitive user information has been identified in the Post Grid and Gutenberg Blocks - ComboBlocks plugin for WordPress. This issue affects all versions through 2.3.6 and is present in the /wp-json/post-grid/v2/get_users REST API. The vulnerability allows unauthenticated attackers to access sensitive data, including email addresses and other user-related information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, such as email addresses and other personal data.

Reproduction

To reproduce this vulnerability, send a POST request to the /wp-json/post-grid/v2/get_users endpoint. This can be done using a tool like cURL or Postman. No authentication is required, and the request will return sensitive user data, including email addresses.

Remediation

Users are advised to update the Post Grid and Gutenberg Blocks - ComboBlocks plugin to version 2.3.7 or later.