Local File Inclusion Vulnerability in Post Grid Master Plugin for WordPress
CVE-2024-11642

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything With Infinite Scroll, Load More, Pagination & Shortcode Builder
Vendor: CVE Published:; 9 January 2025

Summary

The Post Grid Master plugin for WordPress is prone to a Local File Inclusion vulnerability via the 'locate_template' function. This flaw allows unauthorized attackers to incorporate and execute arbitrary files on the server, leading to potential execution of malicious PHP code. Attackers may leverage this vulnerability to bypass access restrictions, extract sensitive data, or perform code execution when legitimate file types such as images can be uploaded and included. The impacted .php files pose a significant risk, and users are urged to update to more secure versions promptly.

Affected Version(s)

Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder * <= 3.4.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ajax-filter-po...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2025
Vulnerability Reserved
Nov 23, 2024

Credit

AmrAwad