Logo Showcase Ultimate Plugin Vulnerable to PHP Object Injection
CVE-2024-1951

7.5HIGH

Key Information:

Vendor

Wordpress
Status
Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid
Vendor
CVE Published:
13 March 2024

What is CVE-2024-1951?

The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress contains a vulnerability that enables PHP Object Injection through deserialization of untrusted input via shortcode in all versions up to and including 1.3.8. This issue could allow authenticated attackers with contributor access and higher to inject a PHP Object into the system. While the vulnerable plugin does not include a payload execution chain (POP), if other plugins or themes installed on the target site possess such a chain, the results could be severe, potentially leading to arbitrary file deletion, unauthorized data access, or malicious code execution.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid * <= 1.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/logo-showcase-...
https://plugins.trac.wordpress.org/browser/logo-showcase-...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Francesco Carlucci
JSON
.