CVE-2020-35938
published 2021-01-01CVE-2020-35938: PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects…
PriorityP351high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.08%
79.2th percentile
PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pickplugins | post_grid | < 2.0.73 | 2.0.73 |
| pickplugins | team_showcase | < 1.22.16 | 1.22.16 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-01-01
Published