CVE-2024-13798
📋 TL;DR
The Post Grid and Gutenberg Blocks – ComboBlocks WordPress plugin has an input validation vulnerability that allows unauthenticated attackers to create fake paid orders without payment. This affects all WordPress sites using the plugin up to version 2.3.5. Attackers can exploit this to create fraudulent orders and potentially disrupt e-commerce operations.
💻 Affected Systems
- Post Grid and Gutenberg Blocks – ComboBlocks WordPress plugin
📦 What is this software?
Comboblocks by Pickplugins
⚠️ Risk & Real-World Impact
Worst Case
Mass creation of fraudulent orders leading to inventory depletion, financial losses from shipping/fulfillment of unpaid orders, and reputational damage to the business.
Likely Case
Limited fraudulent orders created by opportunistic attackers, causing administrative overhead and potential inventory discrepancies.
If Mitigated
No impact if plugin is patched or disabled, or if order validation occurs at payment gateway level.
🎯 Exploit Status
The vulnerability is in form field validation, making exploitation straightforward for attackers with basic web knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3242737%40post-grid&new=3242737%40post-grid&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Post Grid and Gutenberg Blocks – ComboBlocks'. 4. Click 'Update Now' if available, or manually update to version 2.3.6+. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the ComboBlocks plugin until patched
Implement web application firewall rules
allBlock suspicious order creation requests at WAF level
🧯 If You Can't Patch
- Disable the ComboBlocks plugin immediately
- Implement server-side validation for all order creation requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ComboBlocks version. If version is 2.3.5 or lower, you are vulnerable.Check Version:
wp plugin list --name='post-grid' --field=versionVerify Fix Applied:
After updating, verify the plugin shows version 2.3.6 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual order creation spikes
- Orders marked as paid without corresponding payment gateway logs
- Orders from unauthenticated users
Network Indicators:
- POST requests to order creation endpoints without authentication
- Unusual patterns in /wp-admin/admin-ajax.php requests
SIEM Query:
source="wordpress.log" AND ("order_created" OR "new_order") AND NOT user_authenticated=true