Description
The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks
Published: 2026-02-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a local file inclusion flaw in the Post Slides WordPress plugin, caused by the plugin not validating certain shortcode attributes before using them to build file paths for include functions. This allows authenticated contributors or higher to cause the plugin to read arbitrary files on the server, exposing sensitive configuration data or credentials. The weakness falls under CWE‑22.

Affected Systems

The affected product is the Post Slides WordPress plugin version 1.0.1 or earlier. The plugin is distributed without a vendor name in the CNA data, so any site running the vulnerable version is at risk.

Risk and Exploitability

The CVSS score of 5.5 denotes a moderate severity, and the EPSS score of <1% indicates a low current exploitation likelihood. The flaw can be exploited by any authenticated user with a contributor role or higher by supplying specially crafted shortcode attributes that are not validated, allowing the plugin to include arbitrary files via the include functions. While the vulnerability is not listed in the CISA KEV catalog, the fact that contributors are common in many installations means remediation should be prioritized.

Generated by OpenCVE AI on April 28, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Post Slides plugin to the newest publicly available version, if a vendor patch has been released.
  • Remove any existing Post Slides shortcodes from posts and pages to eliminate the immediate attack vector.
  • Restrict the use of the Post Slides plugin to administrators only until the vulnerability is patched.

Generated by OpenCVE AI on April 28, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 07 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks
Title Post Slides <= 1.0.1 - Contributor+ Local File Inclusion
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:55.775Z

Reserved: 2026-01-08T18:41:43.510Z

Link: CVE-2025-15491

cve-icon Vulnrichment

Updated: 2026-02-09T14:23:17.718Z

cve-icon NVD

Status : Deferred

Published: 2026-02-07T06:16:04.003

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:00:14Z

Weaknesses