CVE-2024-13796 Overview
CVE-2024-13796 affects the Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress in all versions up to and including 2.3.6. The vulnerability exists in the /wp-json/post-grid/v2/get_users REST API endpoint, which fails to enforce proper access controls. Unauthenticated attackers can query the endpoint to enumerate WordPress users and extract sensitive data such as email addresses and other account metadata. The flaw is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
Critical Impact
Unauthenticated remote attackers can extract WordPress user emails and account details from any site running the vulnerable plugin, enabling targeted phishing and credential-stuffing campaigns.
Affected Products
- Pickplugins Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress
- All versions up to and including 2.3.6
- WordPress sites exposing the /wp-json/post-grid/v2/get_users REST route
Discovery Timeline
- 2025-02-28 - CVE-2024-13796 published to NVD
- 2025-03-06 - Last updated in NVD database
Technical Details for CVE-2024-13796
Vulnerability Analysis
The vulnerability resides in the plugin's REST API handler defined in includes/blocks/functions-rest.php. The get_users route is registered without an adequate permission_callback, allowing anonymous HTTP requests to invoke the handler. The handler returns user objects that include identifying fields such as email addresses, usernames, and display names.
WordPress treats REST endpoints as publicly reachable unless the developer explicitly restricts them. By exposing user data through a custom route, the plugin bypasses the access checks that WordPress core applies to /wp-json/wp/v2/users. An attacker can therefore enumerate the entire user base of a site without authentication.
The disclosure feeds downstream attacks. Harvested email addresses support phishing and business email compromise. Username enumeration enables credential-stuffing and password-spraying attempts against wp-login.php and XML-RPC.
Root Cause
The root cause is a missing authorization check on the REST route registration. The endpoint does not validate the caller's capability or restrict response fields to public data. This pattern aligns with CWE-200, where sensitive information is exposed to actors that should not have access.
Attack Vector
Exploitation requires only network access to the target site. An attacker issues an unauthenticated HTTP GET request to /wp-json/post-grid/v2/get_users and parses the JSON response. No user interaction, authentication, or privileged context is required. The vulnerability exposes confidentiality only; integrity and availability are not directly affected. For verification details, see the WordPress Plugin Code Review and the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-13796
Indicators of Compromise
- Unauthenticated HTTP GET requests to /wp-json/post-grid/v2/get_users in web server access logs
- Sequential or scripted requests to the endpoint from a single IP or distributed source
- User-Agent strings associated with common HTTP libraries (python-requests, curl, Go-http-client) hitting the route
- Spikes in WordPress login failures or password-reset emails following enumeration activity
Detection Strategies
- Monitor web access logs and WAF telemetry for requests matching the path /wp-json/post-grid/v2/get_users
- Inventory installed WordPress plugins and flag any instance of ComboBlocks at version 2.3.6 or earlier
- Alert on REST API responses containing JSON arrays of user objects exceeding a configured size threshold
Monitoring Recommendations
- Forward WordPress and reverse-proxy access logs to a centralized SIEM for correlation
- Track outbound phishing campaigns referencing harvested user email addresses
- Review authentication logs for credential-stuffing patterns following any suspected enumeration event
How to Mitigate CVE-2024-13796
Immediate Actions Required
- Update the Post Grid and Gutenberg Blocks – ComboBlocks plugin to a version newer than 2.3.6 as published by Pickplugins
- Audit WordPress sites for active installations of the plugin and prioritize patching internet-exposed instances
- Rotate passwords and enforce multi-factor authentication for administrative accounts whose emails may have been exposed
Patch Information
The vendor addressed the issue in a plugin update tracked in the WordPress Plugin Changeset. The fix adds an authorization check to the get_users REST route. Site administrators should update through the WordPress Plugins dashboard or by replacing the plugin directory with the patched release.
Workarounds
- Block external access to /wp-json/post-grid/v2/get_users at the web application firewall or reverse proxy until the patch is applied
- Disable the ComboBlocks plugin on production sites where an immediate update is not feasible
- Restrict access to the WordPress REST API to authenticated users via a security plugin or custom rest_authentication_errors filter
# Example nginx rule to block the vulnerable endpoint until patched
location ~* ^/wp-json/post-grid/v2/get_users {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
