HIGH🇬🇧 English

CVE-2020-35938

CVSS 7.5v3.1pub. 2021-01-01upd. 2024-11-21

PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Pickplugins Post Grid

    APP
    Pickplugins
    < 2.0.73
  • Pickplugins Team Showcase

    APP
    Pickplugins
    < 1.22.16
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Deserialization
CWE
Referencje

Powiązane podatności

CVE-2024-13408HIGH7.5ten sam produkt

The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for Word...

CVE-2021-4450HIGH8.8ten sam produkt

The Post Grid plugin for WordPress is vulnerable to blind SQL Injection via post metadata in versions up to, a...

CVE-2024-44002HIGH7.1ten sam produkt

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlug...

CVE-2024-8253HIGH8.8ten sam produkt

The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions ...

CVE-2020-35939HIGH7.5ten sam produkt

PHP Object injection vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote aut...