CVE-2024-13408
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to include and execute arbitrary PHP files on the server via the 'theme' attribute in the pgcu shortcode. This can lead to remote code execution, data theft, and privilege escalation. All WordPress sites using Post Grid, Slider & Carousel Ultimate plugin versions up to 1.6.10 are affected.
💻 Affected Systems
- Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget
📦 What is this software?
Post Grid by Pickplugins
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data exfiltration, ransomware deployment, or complete site takeover via arbitrary PHP code execution.
Likely Case
Unauthorized file access, privilege escalation to administrator, and installation of backdoors or malware on the WordPress site.
If Mitigated
Limited impact if proper file upload restrictions and server hardening are in place, but still potential for data leakage.
🎯 Exploit Status
Exploitation requires Contributor-level access; attackers may need to upload PHP files first or leverage existing files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3227281/post-grid-carousel-ultimate/tags/1.7/includes/classes/shortcode.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Post Grid, Slider & Carousel Ultimate'. 4. Click 'Update Now' if available, or manually update to version 1.7+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily remove Contributor and higher roles from untrusted users until patching.
Disable Plugin
allDeactivate the vulnerable plugin if functionality is not critical.
🧯 If You Can't Patch
- Implement strict file upload controls to prevent PHP file uploads via media library or other plugins.
- Apply web application firewall (WAF) rules to block requests containing local file inclusion patterns in pgcu shortcode parameters.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Post Grid, Slider & Carousel Ultimate' version 1.6.10 or lower.Check Version:
wp plugin list --name='post-grid-carousel-ultimate' --field=versionVerify Fix Applied:
Confirm plugin version is 1.7 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode usage with 'theme' parameter in POST requests
- PHP file inclusion attempts in web server logs
- Increased activity from Contributor-level accounts
Network Indicators:
- HTTP requests containing pgcu shortcode with file paths in theme attribute
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path="/index.php") AND (query_string="*pgcu*" OR post_data="*theme=*" AND post_data="*.php*")