Does Combo Blocks support application passwords

Ticket for: Combo Blocks
0
Does Combo Blocks support application passwords 1
Richard Holder
Jun 18, 2024 12:29 AM 1 Answers
Member Since Jan 1970
Unsolved Solved Mark as Solved Mark as Unsolved
Subscribed Subscribe Not subscribe
Flag(0)

Hello.  We recently had a Pentest performed on our website.  We've set our security block all rest API calls except if authenticated.  However, combo blocks does not support this security feature.  Could you please confirm?

Here is some detail from the pen tester:

 

How to reproduce
Issue the following command within a terminal console:
$ curl --data a https://4comply.io/wp-json/post-grid/v2/get_site_data
{% raw %} { {% endraw
%}"admin_email":"rholder@4thoughtmarketing.com","admin_name":"Richard
Holder","siteurl":"https://4comply.io","siteAdminurl":"https://4comply.
io/wp-admin/"
...
Vulnerability description
An unauthenticated POST request to the /wp-json/post-grid/v2/get_site_data endpoint of a
WordPress site reveals the admin email address. This vulnerability allows an attacker to obtain the email
address of the site's administrator without needing to authenticate, potentially leading to further targeted
attacks.

Risk description
The exposure of the WordPress admin email address is a significant security risk. Attackers can use this
information to launch targeted phishing attacks, social engineering campaigns, or brute-force attacks to
compromise the admin account. Once an attacker gains access to the admin account, they can potentially
take over the entire WordPress site, leading to data breaches, defacement, or further exploitation of the
site and its users.
Recommendation
To mitigate this vulnerability, it is recommended to:
1. Restrict access to the /wp-json/post-grid/v2/get_site_data endpoint to authenticated users
only.
2. Review and update the WordPress and plugin settings to ensure that sensitive information is not
exposed through APIs.
3. Implement additional security measures such as rate limiting, IP whitelisting, and Web Application
Firewalls (WAF) to protect against unauthorized access.
4. Regularly update WordPress and its plugins to the latest versions to benefit from security patches and
improvements

 

 

0 Subscribers
Submit Answer
Please login to submit answer.
1 Answers
Sort By:
Best Answer
0
Does Combo Blocks support application passwords 2
Azizul Raju
Jun 23, 2024
Flag(0)

Hi Richard,
Thank you for informing us about the security issue.

Our team has already fixed the problem and released a new version 2.2.84. Please update your plugin to the latest version, and feel free to contact us if you have any questions.

Have you had a chance to explore the newly added Gutenberg support? We've added over 50 Gutenberg blocks for you to use in your block editor!

Sign in to Reply
Replying as Submit