Vulnerabilities > CVE-2025-24782 - PHP Remote File Inclusion vulnerability in Wpwax Post Grid, Slider & Carousel Ultimate

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

wpwax

CWE-98

NVD

Published: 2025-01-27

Updated: 2025-01-27

Summary

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate allows PHP Local File Inclusion. This issue affects Post Grid, Slider & Carousel Ultimate: from n/a through 1.6.10.

Vulnerable Configurations

Part	Description	Count
Application	Wpwax Wpwax Post Grid, Slider & Carousel Ultimate - Wpwax Post Grid, Slider & Carousel Ultimate 1.0.0 Wpwax Post Grid, Slider & Carousel Ultimate 1.0.1 Wpwax Post Grid, Slider & Carousel Ultimate 1.0.2 Wpwax Post Grid, Slider & Carousel Ultimate 1.1.0 Wpwax Post Grid, Slider & Carousel Ultimate 1.1.1 Wpwax Post Grid, Slider & Carousel Ultimate 1.2.0 Wpwax Post Grid, Slider & Carousel Ultimate 1.3.0 Wpwax Post Grid, Slider & Carousel Ultimate 1.3.1 Wpwax Post Grid, Slider & Carousel Ultimate 1.3.2 Wpwax Post Grid, Slider & Carousel Ultimate 1.3.3 Wpwax Post Grid, Slider & Carousel Ultimate 1.3.4 Wpwax Post Grid, Slider & Carousel Ultimate 1.3.5 Wpwax Post Grid, Slider & Carousel Ultimate 1.3.6 Wpwax Post Grid, Slider & Carousel Ultimate 1.3.7 Wpwax Post Grid, Slider & Carousel Ultimate 1.3.8 Wpwax Post Grid, Slider & Carousel Ultimate 1.4.0 Wpwax Post Grid, Slider & Carousel Ultimate 1.4.1 Wpwax Post Grid, Slider & Carousel Ultimate 1.4.2 Wpwax Post Grid, Slider & Carousel Ultimate 1.4.3 Wpwax Post Grid, Slider & Carousel Ultimate 1.5.0 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.0 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.1 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.2 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.3 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.4 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.5 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.6 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.7 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.8 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.9 Wpwax Post Grid, Slider & Carousel Ultimate 1.6.10	32

Common Weakness Enumeration (CWE)

CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Common Attack Pattern Enumeration and Classification (CAPEC)

PHP Remote File Inclusion
In this pattern the attacker is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows attackers to hijack the targeted application and force it to execute their own instructions.

References

https://patchstack.com/database/wordpress/plugin/post-grid-carousel-ultimate/vulnerability/wordpress-post-grid-slider-carousel-ultimate-with-shortcode-gutenberg-block-elementor-widget-plugin-1-6-10-local-file-inclusion-vulnerability?_s_id=cve