CVE-2026-3017

Name of the Vulnerable Software and Affected Versions The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts versions prior to 3.0.13

Description The plugin is susceptible to PHP Object Injection due to the deserialization of untrusted input within the import shortcodes() function. This allows authenticated attackers with Administrator-level access or higher to inject a PHP Object. This issue requires a POP chain (a sequence of gadgets used to achieve a specific goal during deserialization) to be present in another installed plugin or theme to have an impact. If such a chain exists, it could enable the deletion of arbitrary files, retrieval of sensitive data, or code execution.

Recommendations Update to a version later than 3.0.12.