Post Slides <= 1.0.1 – Contributor+ Local File Inclusion | CVE 2025-15491

Description

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks

Proof of Concept

Add a post with the shortcode `[post-slides skin="../../../../wp-config"]` to see the inclusion of `wp-config.php

Affects Plugins

post-slides

No known fix

References

CVE

CVE-2025-15491

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

5.5 (medium)

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/Nxploited

Verified

Yes

WPVDB ID

eb0424cc-e60c-44a5-aa24-cd1fe042b27a

Timeline

Publicly Published

2026-01-16 (about 21 days ago)

Added

2026-01-09 (about 28 days ago)

Last Updated

2026-01-09 (about 28 days ago)

Other

Published

Title

Published

2016-03-23

Title

Brandfolder <= 3.0 - File Inclusion

Published

2025-08-27

Title

Printeers Print & Ship <= 1.17.0 - Unauthenticated Path Traversal

Published

2024-05-17

Title

Salon booking system < 10.0 - Unauthenticated Arbitrary File Deletion

Published

2018-03-16

Title

Site Editor <= 1.1.1 - Local File Inclusion (LFI)

Published

2022-05-16

Title

Herd Effects < 5.2.1 - Admin+ LFI