Two vulnerabilities found in WordPress plugins can cause site takeovers. Post Grid and Team Showcase plugins are vulnerable to XSS and PHP object-injection bugs. The plugins together have over 66,000 installs. The vulnerabilities are discovered by Wordfence’s Threat Intelligence team. PickPlugins, the developer of Post Grid and Team Showcase, was notified about the flaws and patched both plugins soon after.
CVSS Score: 7.5
Both vulnerabilities have a CVSS score of 7.5. The Imunify Security team also announced that they also researched the breach and provided protection via WAF. According to the announcement, The rule ID 77316738 was designed for this case with the message: “IM360 WAF: WordPress plugin Post Grid < 2.0.73/Team Showcase < 1.22.16 – Stored Cross-Site Scripting”. It is available in the stable version v3.41 released on the 7th of October. The Imunify Security team also urged users to review the ModSecurity events on the Incidents tab of the Imunify360 plugin interface.