Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Akhtarujjaman Shuvo Post Grid Master ajax-filter-posts allows PHP Local File Inclusion.This issue affects Post Grid Master: from n/a through <= 3.4.12.
Published: 2025-01-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an improper control of the filename used in PHP include/require statements within the Post Grid Master ajax-filter-posts functionality. This flaw permits an attacker to cause the plugin to include locally stored files when a crafted request is made. The inclusion can expose sensitive server files or enable execution of malicious code, potentially leading to data disclosure or local code execution on the web server. The weakness maps to CWE‑706 and CWE‑98.

Affected Systems

The vulnerability affects the WordPress Post Grid Master plugin developed by Akhtarujjaman Shuvo. Any installation of this plugin from its earliest release up to and including version 3.4.12 is vulnerable. The plugin is a WordPress extension that provides AJAX‑filtered post grids. No other vendors or products are currently listed as affected.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate severity. The EPSS value is below 1%, suggesting that the current exploitation likelihood is very low, and the vulnerability is not listed in the CISA KEV catalogue. The LFI flaw is likely exploitable by sending a crafted request to the ajax‑filter endpoint to force the plugin to include a local file; the attacker only needs access to the vulnerable site’s URL. Because no remote file inclusion or privileged code execution is required, the attack vector is local to the web application. Organizations should treat this flaw as a moderate risk but act promptly to remediate.

Generated by OpenCVE AI on May 1, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Post Grid Master plugin to the latest release that removes the LFI vulnerability.
  • If an upgrade is not immediately feasible, remove or restrict the "/wp-admin/admin-ajax.php?action=post_grid_filter…" endpoint by disabling the plugin or removing the action hook so that unauthenticated requests cannot trigger the include.
  • As a temporary workaround, modify the plugin’s code to enforce strict path checks: validate the filename against a whitelist of expected files or directories before including it, and change the include path to a fixed, safe directory.
  • Ensure that PHP’s configuration disables "allow_url_include" and sets "open_basedir" to restrict file inclusion to a safe set of directories.

Generated by OpenCVE AI on May 1, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3925 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AddonMaster Post Grid Master allows PHP Local File Inclusion. This issue affects Post Grid Master: from n/a through 3.4.12.
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AddonMaster Post Grid Master allows PHP Local File Inclusion. This issue affects Post Grid Master: from n/a through 3.4.12. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Akhtarujjaman Shuvo Post Grid Master ajax-filter-posts allows PHP Local File Inclusion.This issue affects Post Grid Master: from n/a through <= 3.4.12.
References

Mon, 09 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Addonmaster
Addonmaster post Grid Master
Weaknesses CWE-706
CPEs cpe:2.3:a:addonmaster:post_grid_master:*:*:*:*:*:wordpress:*:*
Vendors & Products Addonmaster
Addonmaster post Grid Master

Wed, 12 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AddonMaster Post Grid Master allows PHP Local File Inclusion. This issue affects Post Grid Master: from n/a through 3.4.12.
Title WordPress Post Grid Master plugin <= 3.4.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Addonmaster Post Grid Master
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:33.236Z

Reserved: 2025-01-23T14:52:51.691Z

Link: CVE-2025-24733

cve-icon Vulnrichment

Updated: 2025-02-12T19:54:44.578Z

cve-icon NVD

Status : Modified

Published: 2025-01-24T18:15:47.697

Modified: 2026-04-23T15:25:24.310

Link: CVE-2025-24733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:30:05Z

Weaknesses