CVE-2024-1950: 
WordPress vulnerability analysis and mitigation

The Product Carousel Slider & Grid Ultimate for WooCommerce WordPress plugin (versions up to and including 1.9.7) contains a PHP Object Injection vulnerability. The vulnerability was discovered and disclosed on March 13, 2024, and is tracked as CVE-2024-1950. This security issue affects the plugin's shortcode functionality (NVD).

The vulnerability stems from improper handling of deserialization of untrusted input via shortcode. The severity is rated as HIGH with a CVSS v3.1 base score of 7.5 (Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). While no POP (Property-Oriented Programming) chain is present in the vulnerable plugin itself, the vulnerability could be exploited if a POP chain exists via additional plugins or themes installed on the target system (Wordfence).

If successfully exploited, this vulnerability could allow authenticated attackers with contributor-level access or higher to inject PHP objects. When combined with a POP chain from other installed plugins or themes, this could lead to arbitrary file deletion, sensitive data retrieval, or code execution on the affected system (NVD).

Website administrators should update the Product Carousel Slider & Grid Ultimate for WooCommerce plugin to version 1.9.8 or later, which contains fixes for this vulnerability (WordPress).