Researchers have discovered that two new high severity vulnerabilities are affecting the WordPress plugin Post Grid which has over 60,000 installations. While both flaws are awaiting a CVE number, they have both been given a CVSS vulnerability rating scale score of 7.5 out of 10. Interestingly enough, Post Grid’s less popular sister app is affected by nearly identical vulnerabilities. One of which is a cross site scripting (XSS) flaw while the other is PHP object injection issue. If taken advantage of, the flaws could essentially allow for complete account takeover without even needing an account. Typically, a subscriber level account would at least be needed but, “sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers,” according to Ram Gall of Wordfence.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in