Plugin Name: Post Grid Combo
- Software Type: Plugin
- Software Slug: post-grid
- Software Status: Active
- Software Author: pickplugins
- Software Downloads: 2,566,872
- Active Installs: 50,000
- Last Updated: December 15, 2023
- Patched Versions: 2.2.65
- Affected Versions: <= 2.2.64
- Name: Post Grid Combo – 36+ Gutenberg Blocks <= 2.2.64 - Authenticated (Contributor+) Cross-Site Scripting
- Title: Authenticated (Contributor+) Cross-Site Scripting
- Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CVE: CVE-2023-6645
- CVSS Score: 6.4 (Medium)
- Publicly Published: December 15, 2023
- Researcher: 6.4 (Medium)
- Description: The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.2.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Post Grid Combo for WordPress has a vulnerability in versions up to and including 2.2.64 that allows for Authenticated (Contributor+) Cross-Site Scripting. This vulnerability has been patched in version 2.2.65.
Advice for Users:
- Immediate Action: Update to the latest patched release, version 2.2.65, as soon as possible.
- Check for Signs of Vulnerability: Review page content and source for unauthorized
<script>tags that could signal compromise.
- Alternate Plugins: Users concerned over potential residual risk can consider alternate post grid plugins while monitoring for updates.
- Stay Updated: Enable automatic updates for plugins to receive security fixes promptly. Monitor the plugin site and changelogs to ensure awareness of vulnerabilities.
The prompt response from the plugin developers to patch this serious vulnerability highlights the importance of timely updates. Users should ensure they are running version 2.2.65 or later to fully protect their WordPress installations.
About the Plugin
Post Grid Combo is a widely-used plugin that enables adding various post grid, slider, and other display functionality through Gutenberg blocks. With over 2.5 million downloads and 50,000 installs, many site owners rely on it to enhance WordPress’ design capabilities.
Installing the patched Post Grid Combo version 2.2.65 closes this vulnerability by improving input sanitization. For site owners this requires first ensuring WordPress and plugins stay routinely updated, a simple process but critical security measure that is easy to overlook when busy.
Enabling automatic background updates is strongly advised. Alternatively, manually triggering updates or at least reviewing available updates weekly works. Updates only take a minute but prevent you from remaining at risk.
Post Grid Combo has had 6 previous vulnerabilities reported since November 2016, suggesting ongoing weaknesses in security practices. This underscores the need for users to stay on top of updates to ensure holes are patched promptly.
This vulnerability offers a salient reminder - outdated plugins and themes open doors for threats to creep in, even popular plugins like Post Grid Combo relied upon by thousands. Making WordPress security a regular priority rather than afterthought protects your site, customers, and business from harm.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.