October 5

High Severity Vulnerabilities within Post Grid and Group Showcase Plugins

WordPress Vulnerabilities


This post was originally published on this site

On September 14, 2020, our Threat Cleverness team discovered two higher severity vulnerabilities in Article Grid, a WordPress plugin with more than 60,000 installations. While investigating one of these brilliant vulnerabilities, we found that almost similar vulnerabilities were also within Team Showcase, another plugin by exactly the same author with over 6,000 installations.

We initially reached away to the plugin’s programmer, PickPlugins, on September 16, 2020 and provided whole disclosure the very next day. Patches for both plugins had been made available just a few hours after we supplied disclosure on September 17, 2020.

Wordfence Premium customers received a firewall guideline protecting both plugins from both vulnerabilities on September 16, 2020. Sites nevertheless running the free edition of Wordfence will receive this principle after 1 month, on October 16, 2020.

Explanation: Stored Cross-Web site Scripting (XSS)
Affected Products: Write-up Grid, Group Showcase
Plugin slug: post-grid,group
Affected Variations: Blog post Grid < 2.0.73 and Team Showcase < 1.22.16
CVE ID: Pending
CVSS Score: 7.5 (Higher)
Fully Patched Version: Posting Grid 2.0.73 and Group Showcase 1.22.16

Post Grid is really a popular WordPress plugin which allows users to show their posts in a grid layout, while Team Showcase was created to showcase an organization’s associates. Both these plugins allowed the import of custom layouts, and contained nearly identical functions to be able to import these layouts. Post Grid no more actually used the vulnerable import function, although vulnerable code was still present.

In both cases, a logged-in attacker with reduced permissions such as for example subscriber could trigger the functions by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid plugin or team_import_xml_layouts for the Team Showcase plugin, with each action triggering a function with exactly the same name.

Additionally, in the Post Grid plugin, the post_grid_import_xml_layouts function may be triggered with a shortcode. Automagically, this meant that only authenticated users can to activate it. Any third party plugin allowing unauthenticated shortcode execution, however, would extend the vulnerability to unauthenticated attackers.

add_shortcode('post_grid_import_xml_layouts', 'post_grid_import_xml_layouts');

function post_grid_import_xml_layouts()
    $post_grid_info = get_option('post_grid_info');

    $response = array();
    $user_id = get_current_user_id();
    $source = isset($_POST['source']) ? sanitize_text_field($_POST['source']) : '';
    $skip = isset($_POST['skip']) ? sanitize_text_field($_POST['skip']) : '';

    if($skip == 'yes')

        if(strpos($source, 'post-grid-pro'))
            $post_grid_info['import_pro_layouts'] = 'done';
            $post_grid_info['import_layouts'] = 'done';

        $response['skip_success'] = __('Import skipped','post-grid');
        update_option('post_grid_info', $post_grid_info);

        echo json_encode($response);

        $json_obj = file_get_contents($source);
        $json_obj = '';

    //$xml_json = json_encode($html_obj);
    $xml_arr = json_decode($json_obj, true);

    $items = isset($xml_arr['rss']['channel']['item']) ? $xml_arr['rss']['channel']['item'] : array();

    foreach ($items as $item)

        $post_title = isset($item['title']) ? $item['title'] : '';
        $postmeta = isset($item['postmeta']) ? $item['postmeta'] : array();

        $post_id = wp_insert_post(
                'post_title'    => $post_title,
                'post_content'  => '',
                'post_status'   => 'publish',
                'post_type'   	=> 'post_grid_layout',
                'post_author'   => $user_id,

//            echo '<br>';
//            echo $post_title. ' Created';
//            echo '<br>';

        foreach ($postmeta as $meta) $meta_key == 'layout_elements_data' 


    $response['success'] = __('Import done','post-grid');

    if(strpos($source, 'post-grid-pro'))
        $post_grid_info['import_pro_layouts'] = 'done';
        $post_grid_info['import_layouts'] = 'done';

    update_option('post_grid_info', $post_grid_info);

    echo json_encode($response);

add_action('wp_ajax_post_grid_import_xml_layouts', 'post_grid_import_xml_layouts');

Regardless of the way the vulnerable function was triggered, an attacker could supply a source parameter pointing to a crafted malicious payload hosted elsewhere. The event would then open the file containing the payload, decode it, and develop a new page layout predicated on its contents. The created layout included a custom_scripts section, and an attacker could add malicious JavaScript to the custom_css part of this section. This might then be executed whenever an administrative user edited the layout or perhaps a visitor visited a full page in line with the layout.

Any malicious JavaScript added this way could possibly be used to dominate a site with the addition of a malicious administrator, adding a backdoor to plugin or theme files, or stealing the administrator’s session information.

Description: PHP Object Injection
Affected Products: Post Grid, Team Showcase
Plugin slug: post-grid,team
Affected Versions: Post Grid < 2.0.73 and Team Showcase < 1.22.16
CVE ID: Pending
CVSS Score: 7.5 (High)
Fully Patched Version: Post Grid 2.0.73 and Team Showcase 1.22.16

The post_grid_import_xml_layouts and team_import_xml_layouts functions may be useful for PHP Object Injection utilizing the same mechanism because the XSS attack. This is possible as the vulnerable functions unserialized the payload supplied in the source parameter.

As this attacker could craft a string that might be unserialized into a dynamic PHP Object. Although neither plugin utilized any vulnerable magic methods, if another plugin utilizing a vulnerable magic method was installed, Object Injection could possibly be utilized by an attacker. Doing this allows a malicious actor to execute arbitrary code, delete or write files, or perform a variety of other actions that could result in site takeover.

As with the XSS vulnerability, the PHP Object injection vulnerability would typically require the attacker with an account with at the very least subscriber level privileges. However, sites utilizing a plugin or theme that allowed unauthenticated people to execute arbitrary shortcodes will be susceptible to unauthenticated attackers.


September 14, 2020 – Our Threat Intelligence team finds two vulnerabilities in the Post Grid plugin.
September 16, 2020 – We discover identical vulnerabilities in the Team Showcase plugin. We to push out a firewall rule for Wordfence Premium customers and get in touch with PickPlugins, the developer for both plugins.
September 17, 2020 – PickPlugins responds, and we offer full disclosure. PickPlugins releases fixes for both plugins.
October 16, 2020 – The firewall rule becomes open to free Wordfence users.


In today’s post, we detailed two high-severity vulnerabilities within both Post Grid plugin and the Team Showcase plugin, including a stored Cross-Site Scripting(XSS) vulnerability and a PHP Object Injection vulnerability.

Wordfence Premium users have already been protected from attacks against both plugins since September 16, 2020. Sites still running the free version of Wordfence will have the firewall rule on October 16, 2020.

If your website is running either of the plugins it is important that you update to the most recent version at the earliest opportunity. During this writing, the most recent version of Post Grid is 2.0.73 and the most recent version of Team Showcase is 1.22.16. Once you learn anyone who’s using either of the plugins, please share this report using them as well.

Special because of the plugin’s developer, PickPlugins, because of their rapid response in patching these vulnerabilities.

The post High Severity Vulnerabilities in Post Grid and Team Showcase Plugins appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!