CVE-2024-13408

Name of the Vulnerable Software and Affected Versions Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress versions up to, and including, 1.6.10

Description The issue allows authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server through the theme attribute of the pgcu shortcode. This enables the execution of any PHP code in those files, which can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.

Recommendations For versions up to, and including, 1.6.10, update to a version higher than 1.6.10 to resolve the issue. As a temporary workaround, consider restricting access to the pgcu shortcode or disabling the theme attribute to minimize the risk of exploitation. Restrict access to uploading and including PHP files to prevent code execution.