Platform
wordpress
Component
post-grid-carousel-ultimate
Fixed in
1.6.11
CVE-2024-13409 describes a Local File Inclusion (LFI) vulnerability affecting the Post Grid, Slider & Carousel Ultimate plugin for WordPress. This vulnerability allows authenticated attackers, specifically those with Contributor-level access or higher, to include and execute arbitrary files on the server. Versions of the plugin up to and including 1.6.10 are affected, and a fix is available in subsequent releases.
The impact of this vulnerability is significant due to its potential for code execution. An attacker with Contributor access can leverage the LFI to include and execute arbitrary PHP code, effectively bypassing access controls. This could lead to the disclosure of sensitive data stored on the server, modification of website content, or even complete compromise of the WordPress installation. The attacker could potentially upload a malicious PHP script, execute it, and gain persistent access to the system. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to execute arbitrary code, though the specific attack vector is tied to the 'theme' parameter within the plugin’s AJAX handler.
CVE-2024-13409 was publicly disclosed on 2025-01-24. The vulnerability is considered relatively easy to exploit given the requirement of only authenticated contributor access. No public proof-of-concept (PoC) code has been publicly released at the time of writing, but the vulnerability's nature suggests that a PoC could be developed relatively quickly. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.36% (58% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13409 is to upgrade the Post Grid plugin to a version newer than 1.6.10. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file access permissions on the WordPress server to limit the potential impact of a successful exploit. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter out suspicious requests containing the 'theme' parameter could provide an additional layer of defense. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface.
Actualice el plugin Post Grid, Slider & Carousel Ultimate a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) ha sido corregida en versiones posteriores a la 1.6.10. Esto evitará que atacantes autenticados con nivel de contribuidor o superior puedan ejecutar archivos arbitrarios en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13409 is a Local File Inclusion vulnerability in the Post Grid WordPress plugin, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Post Grid plugin versions 1.6.10 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Post Grid plugin to a version greater than 1.6.10. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it could be targeted soon.
Refer to the Post Grid plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.