Cyber Resilience

CVE-2024-0881

MediumPublic PoC

Published: 11 April 2024

Published
11 April 2024
Modified
09 May 2025
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.1307 94.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0881 is a medium-severity an unspecified weakness vulnerability in Pickplugins Post Grid. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before version 2.2.76 contains an authorization flaw that exposes password-protected posts through unauthenticated AJAX endpoints. The affected component fails to enforce access controls on certain queries, allowing restricted post content to appear in responses that should be limited to authenticated users with the correct password.

Unauthenticated attackers can invoke the vulnerable AJAX actions to retrieve the full content of password-protected posts. This grants them read access to material that should remain hidden, with the CVSS 5.4 rating reflecting network-exploitable confidentiality and integrity impact without requiring user interaction.

Public references from WPScan document the missing authorization checks and identify the fixed release as 2.2.76. The EPSS score has remained flat at 0.1307 with no observed rise after disclosure.

EU & UK References

Vulnerability details

The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not have proper authorization, resulting in password protected posts to be displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated…

more

users to read such posts

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pickplugins
post grid
≤ 2.2.76

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References