Vulnerabilities and security researches forpost-carousel post-carousel

Jun 07, 2024

CVE, Research URL: 98e123ac1a86723d620a2b959e6ecfa13513b410
Home page URL: Security reports for Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Application: Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Date: Aug 16, 2021
Research Description: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More [post-carousel] < 2.3.5 Post Carousel < 2.3.5 - Missing Capabilities Check The Post Carousel plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on multiple functions in versions up to, and including, 2.3.4. This makes it possible for attackers to improperly access administrative actions.
Affected versions: max 2.3.5.
Status: vulnerable

CVE, Research URL: CVE-2023-0097
Home page URL: Security reports for Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Application: Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Date: Jan 31, 2023
Research Description: The Post Grid, Post Carousel, & List Category Posts WordPress plugin before 2.4.19 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Affected versions: max 2.3.5.
Status: vulnerable

Jul 20, 2024

CVE, Research URL: CVE-2024-3996
Home page URL: Security reports for Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Application: Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Date: May 16, 2025
Research Description: The Smart Post Show WordPress plugin before 2.4.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: max 2.4.28.
Status: vulnerable

Oct 10, 2024

CVE, Research URL: CVE-2024-8187
Home page URL: Security reports for Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Application: Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Date: May 16, 2025
Research Description: The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 3.0.1.
Status: vulnerable

Apr 15, 2026

CVE, Research URL: CVE-2026-3017
Home page URL: Security reports for Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Application: Post Grid, Post Carousel, & List Category Posts – by Smart Post Show
Date: Apr 14, 2026
Research Description: The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_shortcodes() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Affected versions: max 3.0.13.
Status: vulnerable