Platform
wordpress
Component
post-slides
Fixed in
1.0.2
CVE-2025-15491 describes a Local File Inclusion (LFI) vulnerability discovered in the Post Slides WordPress plugin. This flaw allows authenticated users, such as those with contributor roles or higher, to potentially read arbitrary files on the server. The vulnerability affects versions 0 through 1.0.1 of the plugin. A patch is expected to be released by the plugin developer.
The LFI vulnerability in Post Slides allows an attacker with sufficient privileges (contributor or higher) to manipulate shortcode attributes to include arbitrary files. This means an attacker could potentially read sensitive configuration files, source code, or other data stored on the web server. While the vulnerability requires authentication, the widespread use of WordPress and the relatively low barrier to entry for obtaining contributor-level access significantly expands the potential attack surface. Successful exploitation could lead to data breaches, compromise of server credentials, and potentially even remote code execution if the attacker can leverage the included files to execute malicious code.
This vulnerability was publicly disclosed on 2026-02-07. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploiting LFI vulnerabilities suggests that a PoC is likely to emerge. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on authenticated access reduces the immediate risk of widespread, unauthenticated exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CVSS Vector
The primary mitigation for CVE-2025-15491 is to upgrade to a patched version of the Post Slides plugin as soon as it becomes available. Until a patch is released, consider restricting access to the plugin's shortcode functionality or implementing input validation on the server-side to prevent malicious file paths from being constructed. Web application firewalls (WAFs) configured to detect and block LFI attempts can also provide an additional layer of protection. Monitor WordPress plugin activity logs for suspicious file access patterns.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15491 is a Local File Inclusion vulnerability in the Post Slides WordPress plugin, allowing authenticated users to read arbitrary files on the server. It affects versions 0 through 1.0.1 and has a CVSS score of 7.5.
You are affected if your WordPress site uses the Post Slides plugin in versions 0–1.0.1 and you have users with contributor or higher roles.
Upgrade to the latest version of the Post Slides plugin as soon as a patch is released. Until then, restrict access to the plugin's shortcode functionality or implement server-side input validation.
No active exploitation has been confirmed at this time, but the ease of exploitation suggests a PoC may emerge.
Please refer to the Post Slides plugin developer's website or WordPress.org plugin repository for the official advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.