CVE-2020-35938

HIGH

Pickplugins Post Grid < 2.0.73 - Insecure Deserialization

Title source: rule

Description

PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts.

References (1)

[Exploit, Third Party Advisory] https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/

Scores

CVSS v3 7.5

EPSS 0.0134

EPSS Percentile 79.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

pickplugins/post_grid < 2.0.73

pickplugins/team_showcase < 1.22.16

Timeline

Published Jan 01, 2021

Tracked Since Feb 18, 2026