[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fiEox6-pZQSm8_dujDb1OSPB_BMGiKQoCsi6tFBKLzfc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":36,"poc_video_id":9,"poc_summary":37,"poc_steps":38,"poc_tested_at":39,"poc_wp_version":40,"poc_php_version":41,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":42,"poc_verification_depth":9,"source_links":43},"CVE-2026-3017","smart-post-show-post-grid-post-carousel-slider-and-list-category-posts-authenticated-administrator-php-object-injection","Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts \u003C= 3.0.12 - Authenticated (Administrator+) PHP Object Injection","The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_shortcodes() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.","post-carousel",null,"\u003C=3.0.12","3.0.13","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-13 16:33:40","2026-04-14 05:30:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F45690747-0b8d-4e2e-8dd0-07c12791c064?source=api-prod",1,[22,23,24],"includes\u002Fclass-smart-post-show-import-export.php","main.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-3017 (Smart Post Show)\n\n## 1. Vulnerability Summary\nThe **Smart Post Show** plugin (versions \u003C= 3.0.12) is vulnerable to **PHP Object Injection** via the `import_shortcodes()` function. The vulnerability exists because the plugin accepts a user-provided JSON string containing shortcode metadata and passes it through `maybe_unserialize()` without sufficient validation. Although the input is passed through `sanitize_text_field()`, this function does not prevent the injection of serialized PHP objects. Successful exploitation requires Administrator-level privileges and the presence of a usable POP chain in another plugin or theme.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n- **Action**: `sp_pc_import_shortcodes` (Inferred from function name and plugin prefix `sp_pc_`)\n- **HTTP Parameter**: `shortcode` (JSON-encoded string)\n- **Nonce**: `spf_options_nonce`\n- **Authentication**: Required (Administrator+). The capability check is `manage_options` (filterable via `sp_post_carousel_import_export_user_capability`).\n- **Preconditions**: Must be logged in as an administrator to obtain the nonce and satisfy the capability check.\n\n## 3. Code Flow\n1. **Entry Point**: The AJAX action triggers `Smart_Post_Show_Import_Export::import_shortcodes()`.\n2. **Nonce Check**: `wp_verify_nonce( $_POST['nonce'], 'spf_options_nonce' )` verifies the request integrity.\n3. **Capability Check**: `current_user_can( 'manage_options' )` ensures the user is an admin.\n4. **Input Decoding**: \n   - `$_POST['shortcode']` is captured and `json_decode()`'d.\n   - `map_deep()` applies `sanitize_text_field()` to the values. `sanitize_text_field` removes HTML tags and null bytes but allows characters like `:`, `{`, `}`, and `\"` used in serialized objects.\n5. **Sink Call**: `import_shortcodes()` calls `$this->import($shortcodes)`.\n6. **Vulnerable Sink**: Inside `import()`, the code iterates over `$shortcode['meta']`.\n   - `includes\u002Fclass-smart-post-show-import-export.php`:\n     ```php\n     $meta_value = maybe_unserialize( str_replace( '{#ID#}', $new_shortcode_id, $value ) );\n     update_post_meta( $new_shortcode_id, $meta_key, $meta_value );\n     ```\n   - The `maybe_unserialize()` function executes on the string `$value` (after a simple string replacement), leading to PHP Object Injection.\n\n## 4. Nonce Acquisition Strategy\nThe nonce `spf_options_nonce` is required. It is typically localized for the plugin's administration scripts.\n\n1. **Identify Page**: The \"Import\u002FExport\" functionality is likely located under the \"Smart Post Show\" menu in the WordPress dashboard.\n2. **Navigate**: Use `browser_navigate` to go to `wp-admin\u002Fedit.php?post_type=sp_post_carousel&page=sp_pc_settings` (or the specific Import\u002FExport sub-page).\n3. **Extract Nonce**: The nonce is likely part of a global configuration object.\n   - **Target Variable**: `window.spf_vars?.nonce` or similar.\n   - **Alternative**: Search the HTML source for `spf_options_nonce`.\n   - **Command**: `browser_eval(\"document.querySelector('#spf_options_nonce')?.value || spf_vars?.nonce\")`\n\n## 5. Exploitation Strategy\n### Payload Construction\nThe payload must be a JSON string that mimics the plugin's export format.\n\n```json\n{\n  \"shortcode\": [\n    {\n      \"title\": \"Exploit Post\",\n      \"meta\": {\n        \"exploit_meta_key\": \"O:8:\\\"stdClass\\\":0:{}\"\n      }\n    }\n  ]\n}\n```\n\n### HTTP Request (via `http_request`)\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```\n  action=sp_pc_import_shortcodes&nonce=[NONCE]&shortcode={\"shortcode\":[{\"title\":\"Exploit\",\"meta\":{\"injection\":\"O:8:\\\"stdClass\\\":0:{}\"}}]}\n  ```\n\n## 6. Test Data Setup\n1. **Admin User**: Ensure an admin user exists and is logged in (session cookies needed).\n2. **Plugin Activation**: Ensure the \"Smart Post Show\" plugin is active.\n3. **Shortcode Page**: Not strictly required for the exploit itself (since it's an admin-ajax action), but accessing the admin settings page is necessary to harvest the nonce.\n\n## 7. Expected Results\n- **Response**: The plugin should return a JSON success message (e.g., `{\"success\":true,...}`).\n- **Effect**: A new post of type `sp_post_carousel` will be created. The `update_post_meta` call will attempt to store an unserialized `stdClass` object (or the target POP chain object) in the database for that post.\n\n## 8. Verification Steps\n1. **Check Post Creation**: Use WP-CLI to see if the \"Exploit\" post was created.\n   - `wp post list --post_type=sp_post_carousel`\n2. **Check Meta Data**: Inspect the meta value to see if it was stored as an object or a string.\n   - `wp post meta list [NEW_POST_ID]`\n3. **Check Logs**: If a POP chain was used (e.g., `Logger` class), check for the side effect (file creation, log entry, etc.).\n\n## 9. Alternative Approaches\n- **Export Hook**: If `sp_pc_import_shortcodes` is incorrect, check the admin page source for the `id=\"spf-form\"` or similar and look for the hidden input `action` field.\n- **Double JSON Encoding**: The source code suggests a second `json_decode` if the first result is still a string. If the primary payload fails, try double-encoding the `shortcode` value.\n- **Nested Objects**: If `stdClass` is filtered, try a built-in WordPress class like `WP_Block_Type_Registry` if a chain is found.","The Smart Post Show plugin for WordPress is vulnerable to PHP Object Injection in versions up to 3.0.12 via the import_shortcodes() function. The vulnerability occurs because the plugin uses maybe_unserialize() on user-controlled meta data during the shortcode import process without sufficient validation, allowing administrative users to inject arbitrary PHP objects.","\u002F\u002F includes\u002Fclass-smart-post-show-import-export.php:147\n\t\t\t\tif ( isset( $shortcode['meta'] ) && is_array( $shortcode['meta'] ) ) {\n\t\t\t\t\tforeach ( $shortcode['meta'] as $key => $value ) {\n\t\t\t\t\t\t\u002F\u002F meta key.\n\t\t\t\t\t\t$meta_key = sanitize_key( $key );\n\t\t\t\t\t\t\u002F\u002F meta value.\n\t\t\t\t\t\t$meta_value = maybe_unserialize( str_replace( '{#ID#}', $new_shortcode_id, $value ) );\n\n\t\t\t\t\t\t\u002F\u002F update meta.\n\t\t\t\t\t\tupdate_post_meta( $new_shortcode_id, $meta_key, $meta_value );\n\t\t\t\t\t}\n\t\t\t\t}\n\n---\n\n\u002F\u002F includes\u002Fclass-smart-post-show-import-export.php:194\n\t\t$data = isset( $_POST['shortcode'] ) ? sanitize_text_field( wp_unslash( $_POST['shortcode'] ) ) : '';\n\t\tif ( ! $data ) {\n\t\t\twp_send_json_error( array( 'message' => esc_html__( 'Nothing to import.', 'post-carousel' ) ), 400 );\n\t\t}\n\n\t\t\u002F\u002F Decode JSON with error checking.\n\t\t$decoded_data = json_decode( $data, true );\n\n\u002F\u002F ... (truncated)\n\n\t\t$shortcodes = map_deep(\n\t\t\t$decoded_data['shortcode'],\n\t\t\tfunction ( $value ) {\n\t\t\t\treturn is_string( $value ) ? sanitize_text_field( $value ) : $value;\n\t\t\t}\n\t\t);\n\n\t\t$status = $this->import( $shortcodes );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpost-carousel\u002F3.0.12\u002Fincludes\u002Fclass-smart-post-show-import-export.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpost-carousel\u002F3.0.13\u002Fincludes\u002Fclass-smart-post-show-import-export.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpost-carousel\u002F3.0.12\u002Fincludes\u002Fclass-smart-post-show-import-export.php\t2025-12-29 09:48:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpost-carousel\u002F3.0.13\u002Fincludes\u002Fclass-smart-post-show-import-export.php\t2026-03-25 09:39:38.000000000 +0000\n@@ -147,10 +147,36 @@\n \t\t\t\t\tforeach ( $shortcode['meta'] as $key => $value ) {\n \t\t\t\t\t\t\u002F\u002F meta key.\n \t\t\t\t\t\t$meta_key = sanitize_key( $key );\n-\t\t\t\t\t\t\u002F\u002F meta value.\n-\t\t\t\t\t\t$meta_value = maybe_unserialize( str_replace( '{#ID#}', $new_shortcode_id, $value ) );\n \n-\t\t\t\t\t\t\u002F\u002F update meta.\n+\t\t\t\t\t\t\u002F\u002F Raw meta value with placeholder replaced.\n+\t\t\t\t\t\t$meta_value_raw = str_replace( '{#ID#}', $new_shortcode_id, $value );\n+\n+\t\t\t\t\t\tif ( is_string( $meta_value_raw ) && is_serialized( $meta_value_raw ) ) {\n+\n+\t\t\t\t\t\t\t\u002F\u002F @ suppresses warnings for malformed serialized data while import. Note: already sanitize the object each data, so this is just an extra precaution.\n+\t\t\t\t\t\t\t\u002F\u002F WordPress built-in function maybe_unserialize() does not block objects in serialized data.\n+\t\t\t\t\t\t\t\u002F\u002F For security, we use PHP's native unserialize() with 'allowed_classes' => false to stop creating objects.\n+\t\t\t\t\t\t\t\u002F\u002F to prevent PHP Object Injection while still converting serialized arrays, booleans, and strings.\n+\t\t\t\t\t\t\t$meta_value = @unserialize( \u002F\u002F phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize .\n+\t\t\t\t\t\t\t\t$meta_value_raw,\n+\t\t\t\t\t\t\t\tarray(\n+\t\t\t\t\t\t\t\t\t'allowed_classes' => false, \u002F\u002F Disallow all classes to prevent object instantiation.\n+\t\t\t\t\t\t\t\t)\n+\t\t\t\t\t\t\t);\n+\n+\t\t\t\t\t\t\t\u002F\u002F Fallback for blocked objects or invalid serialization.\n+\t\t\t\t\t\t\tif ( false === $meta_value && 'b:0;' !== $meta_value_raw ) {\n+\t\t\t\t\t\t\t\t$meta_value = $meta_value_raw;\n+\t\t\t\t\t\t\t}\n+\t\t\t\t\t\t} else {\n+\t\t\t\t\t\t\t$meta_value = $meta_value_raw;\n+\t\t\t\t\t\t}\n+\n+\t\t\t\t\t\t\u002F\u002F Ensure no object is ever stored in DB.\n+\t\t\t\t\t\tif ( is_object( $meta_value ) ) {\n+\t\t\t\t\t\t\t$meta_value = $meta_value_raw;\n+\t\t\t\t\t\t}\n+\n \t\t\t\t\t\tupdate_post_meta( $new_shortcode_id, $meta_key, $meta_value );\n \t\t\t\t\t}\n \t\t\t\t}","To exploit this vulnerability, an authenticated administrator must first obtain a valid security nonce (spf_options_nonce) from the plugin's administration page. The attacker then sends a POST request to wp-admin\u002Fadmin-ajax.php with the action parameter set to 'sp_pc_import_shortcodes'. The payload is delivered via the 'shortcode' parameter as a JSON-encoded string. This JSON must include a 'shortcode' array containing a 'meta' object. Inside this meta object, the attacker provides a serialized PHP object as a value. Although the plugin applies sanitize_text_field() to the values, this function does not remove characters required for PHP serialization. When the plugin processes the import, it calls maybe_unserialize() on the malicious meta value, triggering the instantiation of the injected object. If a suitable POP chain exists in the WordPress environment (through other plugins or themes), it can be leveraged for further impact such as remote code execution.","gemini-3-flash-preview","2026-04-16 15:56:21","2026-04-16 15:56:52","failed","",[],"2026-04-16 16:03:03","6.7","8.3","claude-sonnet-4-6",{"type":44,"vulnerable_version":45,"fixed_version":11,"vulnerable_browse":46,"vulnerable_zip":47,"fixed_browse":48,"fixed_zip":49,"all_tags":50},"plugin","3.0.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-carousel\u002Ftags\u002F3.0.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpost-carousel.3.0.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-carousel\u002Ftags\u002F3.0.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpost-carousel.3.0.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-carousel\u002Ftags"]