CVE-2024-12040

Name of the Vulnerable Software and Affected Versions Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress versions up to, and including, 1.9.10

Description The issue allows authenticated attackers with Contributor-level access and above to include and execute arbitrary files on the server via the 'theme' attribute of the wcpcsu shortcode. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Recommendations For versions up to, and including, 1.9.10, consider disabling the wcpcsu shortcode until a patch is available to prevent exploitation. Restrict access to the 'theme' attribute of the shortcode to minimize the risk of arbitrary file inclusion. Avoid using the theme attribute in the wcpcsu shortcode until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.