CVE-2024-3936 - Vulnerability Details - OpenCVE

The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Wordpress	Post Grid Shortcode Gutenberg Blocks Elementor

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/the-post-grid/trunk/app/Controllers/AjaxController.php#L130
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3078599%40the-post-grid%2Ftrunk&old=3061874%40the-post-grid%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f4ef2ced-3c82-4379-8b14-1cf11482fd35?source=cve

History

Thu, 26 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress post Grid Shortcode Gutenberg Blocks Elementor
CPEs		cpe:2.3:a:wordpress:post_grid_shortcode_gutenberg_blocks_elementor:-:::::::*
Vendors & Products		Wordpress Wordpress post Grid Shortcode Gutenberg Blocks Elementor
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-02T16:52:51.888Z

Updated: 2024-08-01T20:26:57.209Z

Reserved: 2024-04-17T17:28:06.979Z

Link: CVE-2024-3936

Vulnrichment

Updated: 2024-08-01T20:26:57.209Z

NVD

Status : Awaiting Analysis

Published: 2024-05-02T17:15:32.583

Modified: 2024-11-21T09:30:44.283

Link: CVE-2024-3936

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3936", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-04-17T17:28:06.979Z", "datePublished": "2024-05-02T16:52:51.888Z", "dateUpdated": "2024-08-01T20:26:57.209Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:52:51.888Z"}, "affected": [{"vendor": "techlabpro1", "product": "The Post Grid \u2013 Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "7.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Post Grid \u2013 Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4ef2ced-3c82-4379-8b14-1cf11482fd35?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-post-grid/trunk/app/Controllers/AjaxController.php#L130"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3078599%40the-post-grid%2Ftrunk&old=3061874%40the-post-grid%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Pavel Palii"}], "timeline": [{"time": "2024-04-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3936", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-02T17:44:37.790013Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wordpress:post_grid_shortcode_gutenberg_blocks_elementor:-:*:*:*:*:*:*:*"], "vendor": "wordpress", "product": "post_grid_shortcode_gutenberg_blocks_elementor", "versions": [{"status": "affected", "version": "-", "versionType": "custom", "lessThanOrEqual": "7.6.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:32:42.954Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:26:57.209Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4ef2ced-3c82-4379-8b14-1cf11482fd35?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/the-post-grid/trunk/app/Controllers/AjaxController.php#L130", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3078599%40the-post-grid%2Ftrunk&old=3061874%40the-post-grid%2Ftrunk&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4ef2ced-3c82-4379-8b14-1cf11482fd35?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/the-post-grid/trunk/app/Controllers/AjaxController.php#L130", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3078599%40the-post-grid%2Ftrunk&old=3061874%40the-post-grid%2Ftrunk&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:26:57.209Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3936", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-02T17:44:37.790013Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wordpress:post_grid_shortcode_gutenberg_blocks_elementor:-:*:*:*:*:*:*:*"], "vendor": "wordpress", "product": "post_grid_shortcode_gutenberg_blocks_elementor", "versions": [{"status": "affected", "version": "-", "versionType": "custom", "lessThanOrEqual": "7.6.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-02T17:46:03.672Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Pavel Palii"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "techlabpro1", "product": "The Post Grid \u2013 Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.6.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-04-30T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4ef2ced-3c82-4379-8b14-1cf11482fd35?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-post-grid/trunk/app/Controllers/AjaxController.php#L130"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3078599%40the-post-grid%2Ftrunk&old=3061874%40the-post-grid%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The The Post Grid \u2013 Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:52:51.888Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3936", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:26:57.209Z", "dateReserved": "2024-04-17T17:28:06.979Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-02T16:52:51.888Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The The Post Grid \u2013 Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions."}, {"lang": "es", "value": "El complemento The Post Grid \u2013 Shortcode, Gutenberg Blocks y Elementor Addon para Post Grid para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n rtTPGSaveSettings en todas las versiones hasta la 7.6.1 incluida. Esto hace posible que atacantes autenticados, con acceso de suscriptor o superior, cambien la configuraci\u00f3n del complemento e invoquen otras funciones enganchadas por acciones AJAX."}], "id": "CVE-2024-3936", "lastModified": "2024-11-21T09:30:44.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-05-02T17:15:32.583", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-post-grid/trunk/app/Controllers/AjaxController.php#L130"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3078599%40the-post-grid%2Ftrunk&old=3061874%40the-post-grid%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4ef2ced-3c82-4379-8b14-1cf11482fd35?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/the-post-grid/trunk/app/Controllers/AjaxController.php#L130"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3078599%40the-post-grid%2Ftrunk&old=3061874%40the-post-grid%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4ef2ced-3c82-4379-8b14-1cf11482fd35?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis"}