WordPress Plugin Vulnerabilities

Post Grid < 2.0.73 & Team Showcase < 1.22.16 - PHP Object Injection

Description

Ram Gall from Wordfence discovered an authenticated (subscriber+) PHP Object Injection vulnerability in the Post Grid and Team Showcase WordPress plugins.

Affects Plugins

Plugin icon
post-grid
Fixed in 2.0.73
Plugin icon
team
Fixed in 1.22.16

References

CVE
CVE-2020-35938
CVE
CVE-2020-35939
URL
https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/
URL
https://plugins.trac.wordpress.org/changeset/2383813/post-grid
URL
https://plugins.trac.wordpress.org/changeset/2383826/team

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Ram Gall (Wordfence)
Verified
No
WPVDB ID
dd44c3f3-fe47-414c-976a-2ba73c47dec8

Timeline

Publicly Published
2020-10-05 (about 5 years ago)
Added
2020-10-05 (about 5 years ago)
Last Updated
2021-01-02 (about 5 years ago)

Other

Published
Title
Published
2024-10-17
Title
Giveaway Boost <= 2.1.4 - Unauthenticated PHP Object Injection
Published
2022-07-18
Title
Feed Them Social < 2.9.8.6 - Unauthenticated PHAR Deserialisation
Published
2026-04-20
Title
Château < 1.3 - Unauthenticated PHP Object Injection
Published
2022-11-17
Title
Shortcodes and extra features for Phlox theme < 2.10.7 - PHP Objection Injection
Published
2023-12-27
Title
EnvíaloSimple < 2.2 Unauthenticated PHP Object Injection