Smart Post Show WordPress Plugin PHP Object Injection Vulnerability
Vulnerability
A PHP Object Injection vulnerability has been identified in the Smart Post Show WordPress plugin, specifically in the Post Grid, Post Carousel & Slider, and List Category Posts versions through 3.0.12. The vulnerability arises from the deserialization of untrusted input in the import_shortcodes() function, allowing authenticated attackers with Administrator-level access to inject PHP objects. While the vulnerable plugin itself does not have a known PHP Object Injection chain, the vulnerability could be exploited if another plugin or theme with such a chain is installed, potentially enabling the attacker to delete files, access sensitive information, or execute code, depending on the nature of the PHP Object Injection chain.
Impact
Exploitation of this vulnerability could lead to PHP Object Injection, allowing for the injection of malicious PHP objects that could be exploited if a PHP Object Injection chain is present through another plugin or theme.
Remediation
Users are advised to update the Smart Post Show WordPress plugin to version 3.0.13 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.