CVE-2025-24782

Medium

Published: 27 January 2025

Published

27 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0034 56.6th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24782 is a medium-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wpwax Post Grid\, Slider \& Carousel Ultimate. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the PHP Local File Inclusion vulnerability in the post-grid-carousel-ultimate WordPress plugin by requiring timely patching or removal of affected versions up to 1.6.10.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of improper filename controls in PHP include/require statements by validating user-supplied inputs, addressing the core flaw enabling local file disclosure.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings such as PHP open_basedir restrictions or disabling dangerous functions to block unauthorized local file access via vulnerable plugins.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

LFI vulnerability in public-facing WordPress plugin directly enables exploitation of the web application (T1190) for unauthorized local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate post-grid-carousel-ultimate allows PHP Local File Inclusion.This issue affects Post Grid, Slider & Carousel Ultimate: from n/a through…

<= 1.6.10.

Deeper analysisAI

CVE-2025-24782 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as PHP Remote File Inclusion but manifesting as PHP Local File Inclusion, in the wpWax Post Grid, Slider & Carousel Ultimate WordPress plugin (post-grid-carousel-ultimate). This issue affects all versions from n/a through 1.6.10, as documented in the CVE description published on 2025-01-27.

The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility with low attack complexity. It requires low privileges (such as an authenticated contributor or similar role) and no user interaction, enabling exploitation to achieve high confidentiality impact through unauthorized disclosure of local files on the server.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/post-grid-carousel-ultimate/vulnerability/wordpress-post-grid-slider-carousel-ultimate-with-shortcode-gutenberg-block-elementor-widget-plugin-1-6-10-local-file-inclusion-vulnerability?_s_id=cve details the Local File Inclusion flaw specifically in plugin version 1.6.10. Practitioners should review the advisory for mitigation guidance, including potential patches or workarounds from the vendor.