Plattform
wordpress
Komponente
post-slides
Behoben in
1.0.2
CVE-2025-15491 describes a Local File Inclusion (LFI) vulnerability discovered in the Post Slides WordPress plugin. This flaw allows authenticated users, such as those with contributor roles or higher, to potentially read arbitrary files on the server. The vulnerability affects versions 0 through 1.0.1 of the plugin. A fix is expected to be released by the plugin developers.
The LFI vulnerability in Post Slides allows an attacker who has authenticated access to the WordPress site (e.g., a contributor or editor) to manipulate shortcode attributes to include arbitrary files. This means an attacker could potentially read sensitive files such as wp-config.php (containing database credentials), theme files, or other configuration files. Successful exploitation could lead to unauthorized access to the database, compromise of the entire WordPress site, and potential data exfiltration. While the vulnerability requires authentication, the widespread use of WordPress and the ease of obtaining contributor-level access make this a significant risk.
This vulnerability was publicly disclosed on 2026-02-07. There are currently no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at this time. The ease of exploitation, combined with the plugin's popularity, suggests that it could become a target for opportunistic attackers.
WordPress websites using the Post Slides plugin, particularly those with multiple users having contributor or higher roles, are at risk. Shared hosting environments where users have limited control over plugin configurations are also particularly vulnerable. Sites with outdated WordPress installations or weak security practices are at increased risk.
• wordpress / composer / npm:
grep -r "include(get_include_path()" /var/www/html/wp-content/plugins/post-slides/• wordpress / composer / npm:
wp plugin list --status=all | grep "post-slides"• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/post-slides/ | grep -i "include"disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2025-15491 is to upgrade the Post Slides plugin to a version that addresses the vulnerability. Until a patch is available, consider restricting file access permissions on the WordPress server to minimize the potential impact of a successful exploit. Implement a Web Application Firewall (WAF) with rules to block suspicious requests containing manipulated shortcode attributes. Regularly review WordPress user roles and permissions to ensure that only necessary access is granted. Monitor WordPress logs for unusual file access patterns.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihres Unternehmens um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15491 is a Local File Inclusion vulnerability in the Post Slides WordPress plugin, allowing authenticated users to read arbitrary files on the server. It affects versions 0 through 1.0.1 and has a CVSS score of 7.5.
You are affected if your WordPress site uses the Post Slides plugin in versions 0–1.0.1 and you have users with contributor or higher roles.
Upgrade to the latest version of the Post Slides plugin as soon as a patch is released. Until then, restrict access to the plugin's shortcode functionality or implement server-side input validation.
No active exploitation has been confirmed at this time, but the ease of exploitation suggests a PoC may emerge.
Please refer to the Post Slides plugin developer's website or WordPress.org plugin repository for the official advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.