CVE-2025-24782
Published: 27 January 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24782 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as PHP Remote File Inclusion but manifesting as PHP Local File Inclusion, in the wpWax Post Grid, Slider & Carousel Ultimate WordPress plugin (post-grid-carousel-ultimate). This issue affects all versions from n/a through 1.6.10, as documented in the CVE description published on 2025-01-27.
The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility with low attack complexity. It requires low privileges (such as an authenticated contributor or similar role) and no user interaction, enabling exploitation to achieve high confidentiality impact through unauthorized disclosure of local files on the server.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/post-grid-carousel-ultimate/vulnerability/wordpress-post-grid-slider-carousel-ultimate-with-shortcode-gutenberg-block-elementor-widget-plugin-1-6-10-local-file-inclusion-vulnerability?_s_id=cve details the Local File Inclusion flaw specifically in plugin version 1.6.10. Practitioners should review the advisory for mitigation guidance, including potential patches or workarounds from the vendor.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables exploitation of the web application (T1190) for unauthorized local file reads (T1005).