Post Grid\, Slider \& Carousel Ultimate
Sign in to watchby Wpwax
CVEs (3)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-2006 | Hig | 0.57 | 8.8 | 0.02 | Mar 13, 2024 | The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpost_shortcode_metabox_markup function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |
| CVE-2025-24782 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate post-grid-carousel-ultimate allows PHP Local File Inclusion.This issue affects Post Grid, Slider & Carousel Ultimate: from n/a through <= 1.6.10. | |
| CVE-2024-29925 | Med | 0.42 | 6.5 | 0.00 | Mar 27, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate allows Stored XSS.This issue affects Post Grid, Slider & Carousel Ultimate: from n/a through 1.6.6. |