CVE-2025-15491

The Post Slides WordPress plugin through version 1.0.1 is vulnerable to a Local File Inclusion (LFI) attack. The root cause is the lack of validation on certain shortcode attributes before they are used to construct file paths passed to PHP include functions. This insufficient input sanitization allows an attacker to manipulate the path [1].

Exploitation

To exploit this vulnerability, an attacker must be authenticated as a user with at least the Contributor role. No other special privileges are required beyond standard WordPress contributor access. The attack surface involves crafting a malicious shortcode attribute that includes path traversal sequences, leading the plugin to include arbitrary files from the server's filesystem [1].

Impact

Successful exploitation allows an attacker to read sensitive files, such as wp-config.php or other configuration files, potentially revealing database credentials and other secrets. This information disclosure can serve as a stepping stone for further compromises of the WordPress installation [1].

Mitigation

The vulnerability was publicly disclosed on January 16, 2026, and as of the advisory's publication, there is no known fix or patched version available. Administrators are advised to restrict contributor-level access, monitor for suspicious shortcode usage, or remove the plugin until a security update is released [1].