cbcvebase.
CVE-2024-8253
published 2024-09-11

CVE-2024-8253: The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
9.57%
94.9th percentile
The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator.

Affected

2 ranges
VendorProductVersion rangeFixed in
pickpluginspost_grid>= 2.2.87 < 2.2.912.2.91
pickpluginspost_grid_and_gutenberg_blocks2.2.87 – 2.2.90

Detection & IOCsextracted from sources · hover to see the quote

  • Authenticated users with subscriber-level access and above can update their user meta to escalate privileges to administrator — monitor for unexpected user role/meta changes in WordPress for users of the Post Grid and Gutenberg Blocks plugin versions 2.2.87 to 2.2.90
  • The vulnerability affects over 40,000 WordPress sites running the Post Grid and Gutenberg Blocks plugin; prioritize detection and patching across WordPress installations using this plugin
  • ·Vulnerability is present only in plugin versions 2.2.87 through 2.2.90; versions outside this range are not affected
  • ·The plugin fails to restrict which user meta values can be updated and does not verify that a form is active — detection logic should focus on unauthorized user_meta update requests from low-privileged accounts
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.