WordPress PHP Object Injection Hits Smart Post Show Plugin

/HIGH
SCW vulnerabilitycvehigh-severityinsecure-deserializationcwe-502
WordPress PHP Object Injection Hits Smart Post Show Plugin

A critical PHP Object Injection vulnerability, tracked as CVE-2026-3017, has been identified in the Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress. According to the National Vulnerability Database, all versions up to and including 3.0.12 are susceptible due to insecure deserialization of untrusted input within the import_shortcodes() function. This flaw allows authenticated attackers with Administrator-level access or higher to inject a PHP Object.

While the vulnerability itself, with a CVSS score of 7.2 (HIGH), requires high privileges, its true danger lies in the potential presence of a Property-Oriented Programming (POP) chain. The National Vulnerability Database notes that no known POP chain exists within the vulnerable plugin itself. However, if another plugin or theme installed on the target WordPress site contains a POP chain, this vulnerability could be escalated significantly. Such a combination might enable an attacker to perform severe actions, including arbitrary file deletion, sensitive data retrieval, or remote code execution, depending on the specific POP chain available.

Related ATT&CK Techniques

T1505.003 Server Software Component: Web Shell Persistence T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: PHP Execution

🛡️ Detection Rules

6 rules · 5 SIEM formats

6 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.

high T1505.003 Persistence

Web Shell Activity Detection — CVE-2026-3017

Sigma Splunk SPL Sentinel KQL Elastic QRadar AQL

Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.

6 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get Detection Rules →

Indicators of Compromise

IDTypeIndicator
CVE-2026-3017 Deserialization WordPress plugin 'Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts' versions <= 3.0.12
CVE-2026-3017 Code Injection PHP Object Injection via deserialization of untrusted input in the 'import_shortcodes()' function
CVE-2026-3017 Privilege Escalation Requires authenticated attacker with Administrator-level access or above

By Shimi's Cyber World Editorial

Related Posts

Critical RCE Flaw Hits NuGet Gallery Backend

CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-20cwe-22
/CRITICAL /⚑ 4 IOCs

BoidCMS LFI to RCE: A Critical Template Flaw

CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...

vulnerabilityCVEhigh-severityremote-code-executioncwe-98
/HIGH /⚑ 4 IOCs

Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk

CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...

vulnerabilityCVEhigh-severitycwe-1385
/HIGH /⚑ 5 IOCs