Skip to main content

PHP CVE-2026-3017

| EUVD-2026-22221 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-04-14 Wordfence GHSA-vw96-fcx4-fx55
PHP WordPress Information Disclosure Deserialization
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 20:37 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 05:56 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 05:45 euvd
EUVD-2026-22221
Analysis Generated
Apr 14, 2026 - 05:45 vuln.today
CVE Published
Apr 14, 2026 - 05:30 nvd
HIGH 7.2

DescriptionCVE.org

The Smart Post Show - Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_shortcodes() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

AnalysisAI

PHP object injection in Smart Post Show WordPress plugin versions ≤3.0.12 allows administrators to deserialize untrusted input via the import_shortcodes() function. While no POP chain exists in the plugin itself (making direct exploitation impossible), the vulnerability becomes critical if paired with another plugin/theme containing exploitable gadget chains, potentially enabling file deletion, data exfiltration, or remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Compromise admin credentials
Delivery
Authenticate to WordPress dashboard
Exploit
Navigate to plugin import function
Install
Upload malicious serialized payload
C2
Trigger deserialization via import_shortcodes()
Execute
Exploit POP chain in co-installed plugin
Impact
Execute arbitrary code or exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires WordPress with Smart Post Show plugin versions up to 3.0.12 installed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is highly contextual and lower than the CVSS 7.2 score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious actor who has compromised WordPress administrator credentials (via phishing, credential stuffing, or insider threat) authenticates to the site's admin panel and accesses the Smart Post Show plugin's import feature. The attacker crafts a malicious serialized PHP object containing gadget chain invocations targeting a vulnerable theme installed on the site (such as an outdated version with known POP chains). …
Remediation Immediately upgrade Smart Post Show plugin to version 3.0.13 or later, which addresses the unsafe deserialization vulnerability as documented in WordPress Trac changeset 3490703 at https://plugins.trac.wordpress.org/changeset/3490703/post-carousel. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Disable the Smart Post Show plugin or restrict administrator access to import_shortcodes functionality via code modification if disabling is not feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-3017 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy