12 matches found
CVE-2024-13796
CVE-2024-13796 relates to the WordPress plugin “Post Grid and Gutenberg Blocks – ComboBlocks” (versions
CVE-2022-0447
The CVE-2022-0447 issue affects the WordPress Post Grid plugin prior to version 2.1.16. The vulnerability arises because the post_types parameter is not sanitized/escaped before being echoed in the response of the post_grid_update_taxonomies_terms_by_posttypes AJAX action, which is accessible to ...
CVE-2020-35938
The CVE concerns the WordPress Post Grid plugin (versions prior to 2.0.73). The vulnerability is a PHP object injection caused by insecure unserialization of data supplied in a remotely hosted crafted payload sent via AJAX, targeting the action parameter post_grid_import_xml_layouts. An authentic...
CVE-2020-35939
CVE-2020-35939 affects the Team Showcase plugin for WordPress (and related Post Grid/Team Showcase context) with PHP Object Injection via insecure unserialization in the source parameter over AJAX when action=team_import_xml_layouts. It requires authentication (remote authenticated attacker) and ...
CVE-2024-0881
The CVE-2024-0881 entry concerns the WordPress Combo Blocks ecosystem (Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel) prior to version 2.2.76. Root cause: improper access control allows unauthenticated AJAX actions to reveal password-protected posts, enabling ...
CVE-2021-24488
The WordPress Post Grid plugin (pre-2.1.8) contains a reflected XSS, due to improper sanitization of the slider-import search feature and the tab parameter, which are echoed back in pages. Impact: attacker could inject scripts viewed by users. Mitigation: upgrade to version 2.1.8 or higher; apply...
CVE-2020-35937
CVE-2020-35937 affects the WordPress Post Grid/Team Showcase plugin: stored XSS in Team Showcase before 1.22.16 via AJAX import of layouts (team_import_xml_layouts) where the source parameter can carry crafted JavaScript. Requires authenticated access; impact is partial confidentiality/integrity/...
CVE-2020-35936
The CVE-2020-35936 entry concerns WordPress plugins Post Grid (and Team Showcase) with a Stored XSS in Post Grid prior to 2.0.73. The vulnerability arises when an authenticated user can import layouts via AJAX using the action post_grid_import_xml_layouts, allowing JavaScript payloads sourced fro...
CVE-2021-24986
The CVE-2021-24986 case affects the WordPress Post Grid plugin prior to version 2.1.16. The vulnerability is a Reflected Cross‑Site Scripting (XSS) caused by not escaping the keyword parameter before it is output in an HTML attribute within the Post Grid search form. Impact as stated: Reflected X...
CVE-2024-1988
CVE-2024-1988 affects the WordPress plugins Post Grid / Combo Blocks (and related blocks) up to version 2.2.80, with stored XSS via the tag attribute in blocks due to insufficient input sanitization and output escaping. Exploitation requires authenticated access (Contributor+), enabling injection...
CVE-2024-13408
The CVE-2024-13408 issue affects the WordPress plugin Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget. It enables Local File Inclusion via the theme attribute of the pgcu shortcode, exploitable by authenticated users with Contributor-level access and abo...
CVE-2024-9645
CVE-2024-9645 : The WordPress plugin Post Grid and Gutenberg Blocks (ComboBlocks) versions prior to 2.2.93 fail to validate/escape certain block options before rendering in pages/posts, enabling stored XSS by users with contributor+ privileges. Documented impact states that an attacker with low p...