Logo Showcase Ultimate Plugin Vulnerable to PHP Object Injection
CVE-2024-1951

7.5HIGH

Key Information:

Vendor
Wordpress
Status
Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid
Vendor
CVE Published:
13 March 2024

Summary

The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress contains a vulnerability that enables PHP Object Injection through deserialization of untrusted input via shortcode in all versions up to and including 1.3.8. This issue could allow authenticated attackers with contributor access and higher to inject a PHP Object into the system. While the vulnerable plugin does not include a payload execution chain (POP), if other plugins or themes installed on the target site possess such a chain, the results could be severe, potentially leading to arbitrary file deletion, unauthorized data access, or malicious code execution.

Affected Version(s)

Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid * <= 1.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/logo-showcase-...
https://plugins.trac.wordpress.org/browser/logo-showcase-...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Francesco Carlucci
.