CVE-2024-34372 – This CVE describes a Missing Authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the WordPress Post Grid Master plugin (also called AddonMaster Post Grid Master). It allows unauthorized users to perform actions that should require authentication, affecting all versions up to 3.4.7. WordPress sites using this plugin are vulnerable.

💻 Affected Systems

Products:

WordPress Post Grid Master plugin
AddonMaster Post Grid Master

Versions: All versions up to and including 3.4.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin activated. No special configuration required.

📦 What is this software?

Post Grid Master by Addonmaster

View all CVEs affecting Post Grid Master →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could modify plugin settings, manipulate post grids, or potentially escalate privileges to compromise the WordPress site.

🟠

Likely Case

Unauthorized users can access administrative functions of the plugin, potentially altering content display settings or accessing restricted data.

🟢

If Mitigated

With proper authorization controls, only authenticated administrators can access plugin functions, limiting impact to authorized users only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization vulnerabilities typically require minimal technical skill to exploit once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.4.8 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/ajax-filter-posts/wordpress-post-grid-master-plugin-3-4-7-broken-access-control-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Post Grid Master' or 'AddonMaster Post Grid Master'
4. Click 'Update Now' if update is available
5. Alternatively, download version 3.4.8+ from WordPress repository and manually update

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate post-grid-master

Restrict Access

all

Use web application firewall to block access to plugin admin endpoints

🧯 If You Can't Patch

Deactivate the Post Grid Master plugin immediately
Implement strict network access controls to limit who can access WordPress admin interface

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Post Grid Master version. If version is 3.4.7 or lower, you are vulnerable.

Check Version:

wp plugin get post-grid-master --field=version

Verify Fix Applied:

After updating, verify plugin version shows 3.4.8 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /wp-admin/admin-ajax.php with post-grid-master actions
Unusual POST requests to plugin-specific endpoints from unauthenticated users

Network Indicators:

HTTP requests to plugin admin functions without authentication headers
Unusual traffic patterns to WordPress admin-ajax.php

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND action="*post-grid-master*") AND user="-"

📊 Metadata

CVE ID: CVE-2024-34372

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

Published: May 6, 2024

Last Updated: June 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34372, you might also want to check these: