CVE-2024-13409
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to perform Local File Inclusion attacks via the 'theme' parameter in the Post Grid, Slider & Carousel Ultimate plugin. Attackers can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or privilege escalation. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to install backdoors, steal sensitive data, deface websites, or pivot to other systems.
Likely Case
Unauthorized file access leading to sensitive information disclosure, privilege escalation to administrator, or website defacement.
If Mitigated
Limited impact if proper file permissions restrict PHP execution in upload directories and strict access controls are in place.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of file paths. Attackers may need to upload malicious files first if targeting file inclusion.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3227281/post-grid-carousel-ultimate/tags/1.7/includes/classes/ajax.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Post Grid, Slider & Carousel Ultimate'. 4. Click 'Update Now' if available, or download version 1.7+ from WordPress repository. 5. Replace plugin files with patched version.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily remove Contributor and Author roles from untrusted users until patching is complete.
Disable Plugin
allDeactivate the vulnerable plugin if functionality is not critical.
🧯 If You Can't Patch
- Implement strict file upload restrictions to prevent PHP file uploads
- Apply web application firewall rules to block requests containing local file inclusion patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Post Grid, Slider & Carousel Ultimate' version 1.6.10 or lower.Check Version:
wp plugin list --name='post-grid-carousel-ultimate' --field=versionVerify Fix Applied:
Confirm plugin version is 1.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=post_type_ajax_handler' and 'theme' parameter containing file paths
- Unusual file inclusion attempts in web server logs
Network Indicators:
- HTTP requests with suspicious 'theme' parameter values attempting directory traversal
SIEM Query:
web.url:*admin-ajax.php* AND web.query:action=post_type_ajax_handler AND (web.query:theme=*../* OR web.query:theme=*php*)🔗 References
- https://ja.wordpress.org/plugins/post-grid-carousel-ultimate/
- https://plugins.trac.wordpress.org/browser/post-grid-carousel-ultimate/tags/1.6.10/includes/classes/ajax.php
- https://plugins.trac.wordpress.org/changeset/3227281/post-grid-carousel-ultimate/tags/1.7/includes/classes/ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/38672a45-b7a7-445f-9e77-7050df6920fa?source=cve
