CVE-2020-35939

HIGH

Pickplugins Post Grid < 2.0.73 - Insecure Deserialization

Title source: rule

Description

PHP Object injection vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to team_import_xml_layouts.

References (1)

[Exploit, Third Party Advisory] https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/

Scores

CVSS v3 7.5

EPSS 0.0140

EPSS Percentile 80.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

pickplugins/post_grid < 2.0.73

pickplugins/team_showcase < 1.22.16

Timeline

Published Jan 01, 2021

Tracked Since Feb 18, 2026