Post Grid, Slider & Carousel Ultimate Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Post Grid, Slider & Carousel Ultimate plugin for WordPress, affecting all versions through 1.6.10. The vulnerability arises in the post_type_ajax_handler() function, where the 'theme' parameter is not properly sanitized. This flaw allows authenticated attackers with Contributor-level access and above to include and execute arbitrary files on the server. Exploitation of this vulnerability could lead to unauthorized code execution, bypassing access controls, and exposure of sensitive data, particularly in scenarios where 'safe' file types like images can be uploaded and included.

Impact

Exploitation of this vulnerability could result in local file inclusion, allowing for the execution of arbitrary PHP code on the server. This could be used to bypass access controls, access sensitive information, or execute malicious code, especially if the attacker can upload files disguised as images or other 'safe' formats.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the post_type_ajax_handler() function. The request must include the 'post_type' parameter, which can be manipulated to include a 'theme' value that exploits the local file inclusion vulnerability. Once the arbitrary file is included, any PHP code within that file can be executed on the server.

Remediation

Users are advised to update the Post Grid, Slider & Carousel Ultimate plugin to version 1.7 or later, where this vulnerability has been patched.