Post Grid Combo Vulnerability – Authenticated (Contributor+) Cross-Site Scripting – CVE-2023-6645 | WordPress Plugin Vulnerability Report
Plugin Name: Post Grid Combo
Key Information:
- Software Type: Plugin
- Software Slug: post-grid
- Software Status: Active
- Software Author: pickplugins
- Software Downloads: 2,566,872
- Active Installs: 50,000
- Last Updated: December 15, 2023
- Patched Versions: 2.2.65
- Affected Versions: <= 2.2.64
Vulnerability Details:
- Name: Post Grid Combo – 36+ Gutenberg Blocks <= 2.2.64 - Authenticated (Contributor+) Cross-Site Scripting
- Title: Authenticated (Contributor+) Cross-Site Scripting
- Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CVE: CVE-2023-6645
- CVSS Score: 6.4 (Medium)
- Publicly Published: December 15, 2023
- Researcher: 6.4 (Medium)
- Description: The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.2.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Post Grid Combo for WordPress has a vulnerability in versions up to and including 2.2.64 that allows for Authenticated (Contributor+) Cross-Site Scripting. This vulnerability has been patched in version 2.2.65.
Detailed Overview:
The Post Grid Combo plugin, which offers 36+ Gutenberg blocks for constructing post grids, slides, and more, contains a vulnerability that enables authenticated users with at least Contributor permissions to inject malicious JavaScript that will execute when pages containing it are viewed. This is due to insufficient sanitization of the custom JS parameter input, enabling storing of unfiltered JavaScript. Attackers able to edit pages can include malicious scripts that will then execute for Administrators or other users viewing affected pages in a browser, creating risk of session hijacking, UI redress attacks, or other browser-based attacks depending on script content.
The vulnerability is patched as of version 2.2.65 with improved input sanitization to prevent storing unfiltered JavaScript. Users are advised to update immediately to avoid potential compromise.
Advice for Users:
- Immediate Action: Update to the latest patched release, version 2.2.65, as soon as possible.
- Check for Signs of Vulnerability: Review page content and source for unauthorized
<script>
tags that could signal compromise. - Alternate Plugins: Users concerned over potential residual risk can consider alternate post grid plugins while monitoring for updates.
- Stay Updated: Enable automatic updates for plugins to receive security fixes promptly. Monitor the plugin site and changelogs to ensure awareness of vulnerabilities.
Conclusion:
The prompt response from the plugin developers to patch this serious vulnerability highlights the importance of timely updates. Users should ensure they are running version 2.2.65 or later to fully protect their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/post-grid
Detailed Report:
Keeping your WordPress website secure requires vigilance, especially when it comes to third-party plugins which can introduce vulnerabilities. Unfortunately that’s the case with a recently disclosed issue in the popular Post Grid Combo plugin, installed on over 50,000 sites. In outdated versions this plugin has a vulnerability enabling JavaScript injection onto pages by contributors, putting sites at risk.
About the Plugin
Post Grid Combo is a widely-used plugin that enables adding various post grid, slider, and other display functionality through Gutenberg blocks. With over 2.5 million downloads and 50,000 installs, many site owners rely on it to enhance WordPress’ design capabilities.
The Vulnerability
Versions 2.2.64 and earlier contain a cross-site scripting (XSS) vulnerability related to insufficient filtering applied to custom JavaScript snippets. This vulnerability allows those with contributor access or above to inject browser-executable scripts into site pages and posts.
Risks
This vulnerable JavaScript allows various attacks by contributors, including session hijacking, malware injection, phishing popups, and more depending on script content. Visitors to the site can then fall victim and have sessions/data compromised as scripts execute in their browsers.
Updating
Installing the patched Post Grid Combo version 2.2.65 closes this vulnerability by improving input sanitization. For site owners this requires first ensuring WordPress and plugins stay routinely updated, a simple process but critical security measure that is easy to overlook when busy.
Enabling automatic background updates is strongly advised. Alternatively, manually triggering updates or at least reviewing available updates weekly works. Updates only take a minute but prevent you from remaining at risk.
Past Vulnerabilities
Post Grid Combo has had 6 previous vulnerabilities reported since November 2016, suggesting ongoing weaknesses in security practices. This underscores the need for users to stay on top of updates to ensure holes are patched promptly.
Staying Secure
This vulnerability offers a salient reminder - outdated plugins and themes open doors for threats to creep in, even popular plugins like Post Grid Combo relied upon by thousands. Making WordPress security a regular priority rather than afterthought protects your site, customers, and business from harm.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.