Cyber Resilience

CVE-2024-11642

Critical

Published: 09 January 2025

Published
09 January 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0101 77.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11642 is a critical-severity Path Traversal (CWE-22) vulnerability in Addonmaster Post Grid Master. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-11642 is a local file inclusion (LFI) vulnerability, classified under CWE-22 (path traversal), affecting the Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder plugin for WordPress. The flaw exists in all versions up to and including 3.4.12 due to improper handling in the 'locate_template' function within Shortcode.php. This allows attackers to include and execute arbitrary files on the server, provided they have a .php extension, potentially leading to remote code execution.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables the inclusion of arbitrary PHP files, allowing code execution, bypass of access controls, and extraction of sensitive data. The impact is heightened in environments where users can upload images or other "safe" file types that contain embedded PHP code.

Advisories, including those from Wordfence, highlight the vulnerability and point to code changes in version 3.4.13 of the plugin, visible in the WordPress plugin trac repository, as the fix. Security practitioners should urge immediate updates to version 3.4.13 or later for affected WordPress sites running the plugin to mitigate the risk of exploitation.

EU & UK References

Vulnerability details

The Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.4.12 via…

more

the 'locate_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The file included must have a .php extension.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI/RCE in unauthenticated public-facing WordPress plugin directly maps to T1190 exploitation; arbitrary PHP file inclusion enables web shell deployment and execution under T1505.003.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1661Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-9550Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2019-25471Shared CWE-22
CVE-2025-67684Shared CWE-22
CVE-2025-41758Shared CWE-22
CVE-2025-12382Shared CWE-22
CVE-2025-54446Shared CWE-22
CVE-2026-39844Shared CWE-22

Affected Assets

addonmaster
post grid master
≤ 3.4.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs like file paths, directly preventing path traversal exploits in the locate_template function leading to LFI.

prevent

SI-2 mandates identification, reporting, and correction of flaws, ensuring timely patching of the vulnerable Post Grid Master plugin to version 3.4.13 or later.

preventdetect

RA-5 requires vulnerability scanning to identify the LFI flaw in the plugin and initiate remediation before exploitation.

References