CVE-2024-9636: 
WordPress vulnerability analysis and mitigation

The Post Grid and Gutenberg Blocks plugin (now known as ComboBlocks) for WordPress contains a critical privilege escalation vulnerability (CVE-2024-9636) affecting versions 2.2.85 to 2.3.3. The vulnerability, discovered in January 2025, allows unauthenticated attackers to register on WordPress sites as administrators due to improper handling of user meta during profile registration. With over 40,000 active installations, this vulnerability poses a significant security risk to WordPress websites (NVD, Security Online).

The vulnerability has been assigned a Critical CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The security flaw stems from improper privilege management (CWE-269) where the plugin fails to properly restrict what user meta can be updated during the profile registration process. This implementation flaw allows unauthenticated attackers to manipulate user data and elevate their privileges to administrator level (NVD).

The vulnerability enables complete website takeover by allowing attackers to gain full administrative access. This access permits malicious actors to modify website content, steal sensitive data, install malware, and potentially deface the website. Additionally, compromised sites could be used for SEO spam campaigns or to redirect visitors to phishing sites (Security Online).

Website owners using affected versions of the Post Grid and Gutenberg Blocks plugin (ComboBlocks) are strongly advised to update immediately to version 2.3.4 or later, which contains the security patch that addresses this vulnerability (Security Online).