PHP Object Injection Vulnerability in Smart Post Show Plugin for WordPress
CVE-2026-3017

7.2HIGH

Key Information:

Vendor: WordPress
Status: Smart Post Show – Post Grid, Post Carousel & Slider, And List Category Posts
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-3017?

The Smart Post Show plugin for WordPress is susceptible to PHP Object Injection due to the deserialization of untrusted input in its import_shortcodes() function. This vulnerability affects all versions up to and including 3.0.12 and permits authenticated attackers with Administrator-level privileges to inject malicious PHP objects. Although no known property of the plugin presents a direct path of exploitation without additional plugins or themes, if such a path exists through a PHP Object Poisoning (POP) chain, it could enable attackers to execute various harmful actions, including deleting files, accessing sensitive information, or executing arbitrary code.

Affected Version(s)

Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts 0 <= 3.0.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3490703/post...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

Vilaysone CHANTHAVONG

CVE-2026-3017 Data

JSON