Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce < 2.6.4 – Authenticated (Admin+) PHP Object Injection | CVE 2024-3020 | Plugin Vulnerabilities

Description

The plugin is vulnerable to PHP Object Injection in versions up to and including, 2.6.3 via deserialization of untrusted input in the import function via the 'shortcode' parameter. This allows authenticated attackers, with administrator-level access to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

wp-carousel-free

Fixed in 2.6.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d66df15e-1a0a-49e9-bcf9-67091499b24e

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

hoanpk

Verified

No

WPVDB ID

e5e41368-8a20-4dbe-b337-874e943f06b9

Timeline

Publicly Published

2024-04-09 (about 2 years ago)

Added

2024-04-09 (about 2 years ago)

Last Updated

2024-04-09 (about 2 years ago)

Other

Published

Title

Published

2025-03-13

Title

CiyaShop - Multipurpose WooCommerce Theme < 4.19.1 - Unauthenticated PHP Object Injection

Published

2025-02-21

Title

Mambo Importer <= 1.0 - Authenticated (Administrator+) PHP Object Injection

Published

2024-12-20

Title

Custom Product Tabs For WooCommerce < 1.2.5 - Authenticated (Shop Manager+) PHP Object Injection

Published

2026-04-16

Title

Eldon - Artist Portfolio WordPress Theme < 1.5 - Unauthenticated PHP Object Injection

Published

2020-11-03

Title

GDPR CCPA Compliance Support < 2.4 - Unauthenticated PHP Object Injection