Home Hacking News Vulnerabilities Found In Post Grid And Team Showcase WordPress Plugins

Vulnerabilities Found In Post Grid And Team Showcase WordPress Plugins

by Abeerah Hashim
GiveWP Plugin Vulnerability Risked 100,000+ Websites To RCE Attacks

Another heads up for WordPress admins. Two more WordPress plugins, Post Grid and Team Showcase have serious security vulnerabilities. Patches are out, WordPress sites need an immediate update.

Post Grid, Team Showcase Plugins Vulnerabilities

Team Wordfence has found serious vulnerabilities in two more WordPress plugins; Post Grid and Team Showcase. Both the plugins belong to the same developers.

As elaborated in their recent blog post, the team first discovered the vulnerabilities in the Post Grid plugin. While investigating a flaw in it, they discovered similar bugs in the Team Showcase plugin.

It means that the vulnerabilities in both the plugins potentially risked thousands of websites to cyber attacks.

Regarding the bugs, briefly, the researchers found two different vulnerabilities affecting both plugins.

One of these includes a stored cross-site scripting (XSS) flaw. To exploit the flaw, an attacker simply had to trigger the vulnerable functions by sending an AJAX request. This would then make it possible for the attacker to execute malicious codes. Also, the attacker could take over the site, steal admin’s session data, and include backdoors.

As described in the post,

Regardless of how the vulnerable function was triggered, an attacker could supply a source parameter pointing to a crafted malicious payload hosted elsewhere. The function would then open the file containing the payload, decode it, and create a new page layout based on its contents. The created layout included a custom_scripts section, and an attacker could add malicious JavaScript to the custom_css portion of this section. This would then be executed whenever an administrative user edited the layout or a visitor visited a page based on the layout.

The other vulnerability was a PHP object injection flaw that could also allow arbitrary code execution and site takeover.

Both the vulnerabilities achieved a high-severity rating with a CVSS score of 7.5.

Patches Rolled Out

The researchers discovered both vulnerabilities in September 2020, after which, they reached out to the developers.

Soon after their report, the developers patched the bugs with the release of Post Grid v2.0.73 and Team Showcase v1.22.16.

Post Grid plugin presently has over 60,000 active installations. It facilitates displaying posts on a site in a grid layout. Whereas, Team Showcase plugin boasts over 6000 installations. This plugin displays the team members of an organization on the website

You may also like