CVE-2024-2006
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to perform PHP object injection through the Post Grid, Slider & Carousel Ultimate plugin. If a POP chain exists via another plugin or theme, attackers could delete files, steal data, or execute arbitrary code. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, and server takeover if a suitable POP chain exists.
Likely Case
Arbitrary file deletion or sensitive data exposure through available POP chains in common WordPress plugins/themes.
If Mitigated
Limited impact if no POP chains exist, though object injection still creates security risks.
🎯 Exploit Status
Requires authenticated access and finding suitable POP chains. Technical details are public but no full exploit is published.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.8
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Post Grid, Slider & Carousel Ultimate'. 4. Click 'Update Now' if available, or delete and reinstall from WordPress repository. 5. Verify version is 1.6.8 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate post-grid-carousel-ultimate
Restrict user roles
allLimit contributor and higher roles to trusted users only
🧯 If You Can't Patch
- Disable the Post Grid, Slider & Carousel Ultimate plugin immediately
- Implement strict access controls and monitor for suspicious activity from contributor+ users
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Post Grid, Slider & Carousel Ultimate' version 1.6.7 or lowerCheck Version:
wp plugin get post-grid-carousel-ultimate --field=versionVerify Fix Applied:
Confirm plugin version is 1.6.8 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with 'action' parameter containing 'outpost_shortcode_metabox_markup'
- PHP deserialization errors in web server logs
- Unexpected file deletions or modifications by contributor-level users
Network Indicators:
- HTTP requests with serialized PHP objects in parameters
SIEM Query:
source="wordpress.log" AND "outpost_shortcode_metabox_markup" AND ("unserialize" OR "O:")🔗 References
- https://plugins.trac.wordpress.org/browser/post-grid-carousel-ultimate/trunk/includes/classes/metabox.php#L43
- https://plugins.trac.wordpress.org/changeset?old_path=/post-grid-carousel-ultimate/tags/1.6.7&old=3045923&new_path=/post-grid-carousel-ultimate/tags/1.6.8&new=3045923&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8cf1b234-862b-41a0-ab63-a986f8023613?source=cve
- https://plugins.trac.wordpress.org/browser/post-grid-carousel-ultimate/trunk/includes/classes/metabox.php#L43
- https://plugins.trac.wordpress.org/changeset?old_path=/post-grid-carousel-ultimate/tags/1.6.7&old=3045923&new_path=/post-grid-carousel-ultimate/tags/1.6.8&new=3045923&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8cf1b234-862b-41a0-ab63-a986f8023613?source=cve
