The Post Grid Vulnerability – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid – Missing Authorization – CVE-2024-3936 | WordPress Plugin Vulnerability Report

Plugin Name: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Key Information:

  • Software Type: Plugin
  • Software Slug: the-post-grid
  • Software Status: Active
  • Software Author: techlabpro1
  • Software Downloads: 1,704,748
  • Active Installs: 90,000
  • Last Updated: May 10, 2024
  • Patched Versions: 7.7.0
  • Affected Versions: <= 7.6.1

Vulnerability Details:

  • Name: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.6.1
  • Title: Missing Authorization
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • CVE: CVE-2024-3936
  • CVSS Score: 4.3
  • Publicly Published: April 30, 2024
  • Researcher: Pavel Palii
  • Description: The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This allows authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions.


The "The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid" for WordPress has a vulnerability in versions up to and including 7.6.1 that allows unauthorized modification of plugin settings. This vulnerability has been patched in version 7.7.0.

Detailed Overview:

This vulnerability originates from a missing authorization check in the rtTPGSaveSettings function utilized within the plugin. Pavel Palii, the researcher who discovered this issue, notes that this oversight permits authenticated users with basic subscriber privileges or higher to manipulate settings and trigger AJAX actions unintentionally exposed. The potential risk includes unauthorized alterations to the plugin's configuration, potentially leading to site misconfigurations or exposure to further vulnerabilities. The prompt patch release by the developers in version 7.7.0 rectifies this security flaw.

Advice for Users:

  • Immediate Action: Update to the patched version 7.7.0 immediately.
  • Check for Signs of Vulnerability: Review plugin settings and logs for unexpected changes to detect if your site may have been compromised.
  • Alternate Plugins: While a patch is available, considering alternative plugins offering similar functionality may serve as an additional precaution.
  • Stay Updated: Regularly updating your plugins to the latest versions is crucial to safeguard against vulnerabilities.


The swift response by the developers of The Post Grid plugin in releasing a patch underscores the importance of maintaining up-to-date installations. It is imperative for users to install version 7.7.0 or later to ensure their WordPress sites remain secure.


Detailed Report: 

In the realm of digital business, the security of your website is an imperative that goes beyond just good practice—it's crucial for safeguarding your data and maintaining your customers' trust. This was starkly highlighted by a recent vulnerability found in a widely used WordPress plugin, "The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid."

Overview of the Plugin

"The Post Grid" is a popular plugin designed to enhance WordPress sites with dynamic grid layouts. As of May 2024, it boasts over 1.7 million downloads and 90,000 active installations. Despite its popularity and utility, the plugin became a security concern when a significant flaw was discovered.

Details of the Vulnerability

Identified as CVE-2024-3936, this vulnerability stems from a missing authorization check in the rtTPGSaveSettings function. This flaw allows authenticated users, even those with just subscriber-level access, to modify plugin settings and trigger unintended AJAX actions. The vulnerability, tagged with a CVSS score of 4.3, reflects a moderate risk—primarily involving unauthorized data modification that could lead to misconfigurations or other security breaches.

Risks and Potential Impacts

If exploited, this vulnerability could lead to altered site behavior, unauthorized data exposure, or other damaging outcomes, potentially compromising site integrity and user data. Such incidents can erode customer trust and may even lead to regulatory scrutiny if sensitive information is mishandled.

Remediation Steps

The developers of "The Post Grid" have released a patched version of the plugin, 7.7.0, which resolves the vulnerability for all affected versions up to 7.6.1. Immediate steps for website owners include:

  • Updating the plugin: Ensure "The Post Grid" is updated to version 7.7.0 or later.
  • Auditing your site: Check plugin settings and site logs for any unusual activity that might indicate the vulnerability has been exploited.
  • Exploring alternatives: Consider other plugins that offer similar functionalities but with a stronger security track record if frequent vulnerabilities are a concern.

Previous Vulnerabilities

This is not the first time vulnerabilities have been reported in "The Post Grid." Since February 2023, two other security issues have been identified and patched. This pattern underscores the necessity of regular updates and vigilance.

Importance of Staying on Top of Security

For small business owners, actively managing a website's security might seem daunting due to time constraints. However, the consequences of neglect can be far more time-consuming and expensive than the preventative measures. Employing managed WordPress hosting services, utilizing automatic update features, and subscribing to security blogs or services that alert you to relevant vulnerabilities can drastically reduce the risk and overhead of keeping your site secure.


The quick response to patch vulnerabilities like CVE-2024-3936 by plugin developers is commendable, yet the responsibility ultimately falls on website owners to ensure updates are applied promptly. Staying proactive about your WordPress site’s security is not just about fixing problems as they arise—it’s about preventing issues before they impact your business. Regular updates, combined with strategic security practices, are your best defense against the evolving landscape of cyber threats.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

The Post Grid Vulnerability – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid – Missing Authorization – CVE-2024-3936 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment