CVE-2025-24782 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-24782?

CVE-2025-24782 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Post Grid, Slider & Carousel Ultimate plugin versions up to 1.6.10, potentially leading to sensitive information disclosure or code execution.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Post Grid, Slider & Carousel Ultimate plugin versions up to 1.6.10, potentially leading to sensitive information disclosure or code execution.

💻 Affected Systems

Products:

Post Grid, Slider & Carousel Ultimate WordPress Plugin

Versions: n/a through 1.6.10

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. PHP configuration with allow_url_include disabled still vulnerable to local file inclusion.

📦 What is this software?

Post Grid\, Slider \& Carousel Ultimate by Wpwax

View all CVEs affecting Post Grid\, Slider \& Carousel Ultimate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through local file inclusion leading to remote code execution, sensitive file disclosure (like wp-config.php with database credentials), and complete site takeover.

🟠

Likely Case

Information disclosure of sensitive server files, potential privilege escalation through reading configuration files, and limited code execution depending on server configuration.

🟢

If Mitigated

Limited impact if proper file permissions restrict access to sensitive files and PHP configuration disables dangerous functions.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and this vulnerability can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal WordPress installations could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability. Public proof-of-concept exists in the Patchstack advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.11 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/post-grid-carousel-ultimate/vulnerability/wordpress-post-grid-slider-carousel-ultimate-with-shortcode-gutenberg-block-elementor-widget-plugin-1-6-10-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Post Grid, Slider & Carousel Ultimate'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.6.11+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the plugin until patched

wp plugin deactivate post-grid-carousel-ultimate

Restrict PHP file inclusion

linux

Add PHP configuration to restrict file inclusion paths

Add 'open_basedir = /var/www/html' to php.ini

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict plugin access to authenticated users only using WordPress access controls

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Post Grid, Slider & Carousel Ultimate' version ≤1.6.10

Check Version:

wp plugin get post-grid-carousel-ultimate --field=version

Verify Fix Applied:

Verify plugin version is 1.6.11 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual file paths in PHP error logs
HTTP requests with file inclusion patterns in parameters
Multiple 404 errors for non-existent plugin files

Network Indicators:

HTTP requests containing '..', '/etc/', or other directory traversal patterns
Requests to plugin endpoints with file parameters

SIEM Query:

web.url:*post-grid-carousel-ultimate* AND (web.param:*../* OR web.param:*etc/passwd*)

📊 Metadata

CVE ID: CVE-2025-24782

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-98

EPSS Score: 0.13% exploit probability (33.3th percentile)

Published: January 27, 2025

Last Updated: March 10, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/post-grid-carousel-ultimate/vulnerability/wordpress-post-grid-slider-carousel-ultimate-with-shortcode-gutenberg-block-elementor-widget-plugin-1-6-10-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24782, you might also want to check these: