Researchers have discovered that two new high severity vulnerabilities are affecting the WordPress plugin Post Grid which has over 60,000 installations. While both flaws are awaiting a CVE number, they have both been given a CVSS vulnerability rating scale score of 7.5 out of 10. Interestingly enough, Post Grid’s less popular sister app is affected by nearly identical vulnerabilities. One of which is a cross site scripting (XSS) flaw while the other is PHP object injection issue. If taken advantage of, the flaws could essentially allow for complete account takeover without even needing an account. Typically, a subscriber level account would at least be needed but, “sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers,” according to Ram Gall of Wordfence.
PickPlugins have developed and issued patches for each vulnerability; Post Grid v. 2.0.73, and Team Showcase v. 1.22.16. The patches should be implemented as soon as possible. If the patches are not downloaded, it leaves users vulnerable to arbitrary code execution, files being deleted or unwillingly written, and numerous other actions that could eventually lead to complete site takeover.