Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget < 1.6.8 – Authenticated (Contributor+) PHP Object Injection in outpost_shortcode_metabox_markup | CVE 2024-2006 | Plugin Vulnerabilities

Description

The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpost_shortcode_metabox_markup function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

post-grid-carousel-ultimate

Fixed in 1.6.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8cf1b234-862b-41a0-ab63-a986f8023613

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

38de6ff3-e075-4124-a006-0759bb73a6b5

Timeline

Publicly Published

2024-03-05 (about 2 years ago)

Added

2024-03-05 (about 2 years ago)

Last Updated

2024-03-05 (about 2 years ago)

Other

Published

Title

Published

2025-06-04

Title

PressGrid - Frontend Publish Reaction & Multimedia Theme <= 1.3.1 - Unauthenticated PHP Object Injection

Published

2025-06-03

Title

Sweet Dessert < 1.1.13 - Unauthenticated PHP Object Injection

Published

2025-08-25

Title

YouTube Showcase < 3.5.2 - Unauthenticated PHP Object Injection

Published

2024-08-28

Title

Theme Editor < 2.9 - Authenticated (Admin+) PHAR Deserialization

Published

2025-12-20

Title

Live Composer – Free WordPress Website Builder < 2.0.3 - Authenticated (Contributor+) PHP Object Injection via dslc_module_posts_output Shortcode