Post Grid and Team Showcase Plugins Contain Vulnerabilities

vulnerabilities in post grid and team showcase wordpress pluginsIn Mid-September, security researchers at Wordfence (Defiant) uncovered two severe vulnerabilities in Post Grid. Post Grid is a WordPress plugin with more than 60,000 installations, developed by PickPlugins.

During the analysis, the team discovered almost identical vulnerabilities in Team Showcase, another plugin developed by the same author. Team Showcase has over 6,000 installations.
The good news is that the plugin developers released patches only a few hours after disclosing the flaws.

Post Grid and Team Showcase Plugin Vulnerabilities

The first plugin allows users to display their posts in a grid layout, whereas Team Showcase displays an organization’s team members. Both plugins permitted the import of custom layouts, with nearly identical functionalities. Even though Post Grid didn’t use the vulnerable import function, it still contained the flawed code, making it vulnerable.

A logged-in attacker could exploit both plugins with minimal permissions in Stored Cross-Site Scripting (XSS) attacks. The exploit could be done by sending a specific AJAX request.
Affected versions are Post Grid < 2.0.73 and Team Showcase < 1.22.16. The other vulnerabilities affecting both plugins could trigger PHP Object injection. The same layout functions posed the risk of PHP Object injection via the same method used in the cross-site scripting attack. This was possible thanks to the vulnerable functions, which unserialized the payload supplied in the source parameter. This flaw also required an attacker to have minimal privileges, such as a subscriber lever. “However, sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers,” Wordfence says.


How to stay protected?
If your WordPress site uses either of these plugins, you should update to the latest versions immediately. Currently, the latest Post Grid version is 2.0.73, whereas the newest version of Team Showcase is 1.22.16.

If you need more technical details about the flaws, you can refer to the original findings.

Researched and created by:
Krum Popov
Passionate web entrepreneur, has been crafting web projects since 2007. In 2020, he founded HTH.Guide — a visionary platform dedicated to streamlining the search for the perfect web hosting solution. Read more...
Technically reviewed by:
Metodi Ivanov
Seasoned web development expert with 8+ years of experience, including specialized knowledge in hosting environments. His expertise guarantees that the content meets the highest standards in accuracy and aligns seamlessly with hosting technologies. Read more...

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HTH.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust HTH.Guide for reliable hosting insights and sincerity.