CVE-2024-1951

Name of the Vulnerable Software and Affected Versions The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress versions up to, and including, 1.3.8

Description The issue allows authenticated attackers with contributor access and above to inject a PHP Object via deserialization of untrusted input through a shortcode. This could potentially lead to the deletion of arbitrary files, retrieval of sensitive data, or execution of code if a POP chain is present, either via an additional plugin or theme installed on the target system.

Recommendations For versions up to, and including, 1.3.8, update to a version that fixes the PHP Object Injection issue to prevent exploitation. As a temporary workaround, consider restricting contributor access and above to minimize the risk of exploitation until a patch is available. Avoid using shortcodes with untrusted input in the affected plugin until the issue is resolved.