The Post Grid and Gutenberg Blocks – ComboBlocks WordPress plugin (Post Grid) contains a sensitive information exposure vulnerability (CWE-200) in all versions up to 2.3.6. This issue arises from the /wp-json/post-grid/v2/get_users REST API endpoint, which does not properly restrict access, allowing unauthenticated attackers to retrieve sensitive user data such as email addresses. The CVSS 3.1 base score is 5.3 (medium severity) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact. No known exploits are reported in the wild.

An unauthenticated attacker can extract sensitive user information, including email addresses, from affected WordPress sites using the vulnerable Post Grid plugin. This exposure could facilitate further targeted attacks such as phishing or social engineering but does not directly impact integrity or availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling or restricting access to the /wp-json/post-grid/v2/get_users REST API endpoint or removing the Post Grid plugin if feasible. Monitor for updates from pickplugins regarding an official patch.