CVE-2026-3017: CWE-502 Deserialization of Untrusted Data in shapedplugin Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
The Smart Post Show plugin for WordPress up to version 3. 0. 12 contains a PHP Object Injection vulnerability via deserialization of untrusted input in the import_shortcodes() function. This vulnerability requires an attacker to have Administrator-level access or higher. Exploitation depends on the presence of a gadget POP chain in other installed plugins or themes, which could enable actions such as arbitrary file deletion, data retrieval, or code execution. No known proof-of-concept exploits are currently reported. The vulnerability has a high severity score of 7. 2 but no official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
CVE-2026-3017 is a PHP Object Injection vulnerability in the Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts WordPress plugin, affecting all versions up to 3.0.12. The issue arises from unsafe deserialization of untrusted input in the import_shortcodes() function. An attacker with Administrator privileges can inject PHP objects. However, exploitation requires a gadget POP chain from other installed plugins or themes to achieve impactful actions such as arbitrary file deletion, sensitive data access, or code execution. No known exploit chains exist within the plugin itself. The vulnerability has a CVSS 3.1 score of 7.2 (high severity). No official patch or vendor remediation information is currently provided.
Potential Impact
If exploited in an environment where a suitable POP chain exists in other installed plugins or themes, an attacker with Administrator access could perform critical actions including arbitrary file deletion, sensitive data disclosure, or remote code execution. Without such a POP chain, the vulnerability has no practical impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Since exploitation requires Administrator-level access and the presence of a gadget POP chain in other plugins or themes, limiting plugin/theme installations to trusted sources and minimizing Administrator accounts can reduce risk. Monitor vendor advisories for updates or patches addressing this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-3017: CWE-502 Deserialization of Untrusted Data in shapedplugin Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
Description
The Smart Post Show plugin for WordPress up to version 3. 0. 12 contains a PHP Object Injection vulnerability via deserialization of untrusted input in the import_shortcodes() function. This vulnerability requires an attacker to have Administrator-level access or higher. Exploitation depends on the presence of a gadget POP chain in other installed plugins or themes, which could enable actions such as arbitrary file deletion, data retrieval, or code execution. No known proof-of-concept exploits are currently reported. The vulnerability has a high severity score of 7. 2 but no official patch or remediation guidance is currently available.
CVSS v3.1
Score 7.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3017 is a PHP Object Injection vulnerability in the Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts WordPress plugin, affecting all versions up to 3.0.12. The issue arises from unsafe deserialization of untrusted input in the import_shortcodes() function. An attacker with Administrator privileges can inject PHP objects. However, exploitation requires a gadget POP chain from other installed plugins or themes to achieve impactful actions such as arbitrary file deletion, sensitive data access, or code execution. No known exploit chains exist within the plugin itself. The vulnerability has a CVSS 3.1 score of 7.2 (high severity). No official patch or vendor remediation information is currently provided.
Potential Impact
If exploited in an environment where a suitable POP chain exists in other installed plugins or themes, an attacker with Administrator access could perform critical actions including arbitrary file deletion, sensitive data disclosure, or remote code execution. Without such a POP chain, the vulnerability has no practical impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Since exploitation requires Administrator-level access and the presence of a gadget POP chain in other plugins or themes, limiting plugin/theme installations to trusted sources and minimizing Administrator accounts can reduce risk. Monitor vendor advisories for updates or patches addressing this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-23T10:25:18.516Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ddd4cb82d89c981fef0e8e
Added to database: 4/14/2026, 5:46:51 AM
Last enriched: 4/21/2026, 6:22:13 AM
Last updated: 5/29/2026, 2:52:04 PM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.