What the vulnerability does
01Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme The Post Grid the-post-grid allows PHP Local File Inclusion.This issue affects The Post Grid: from n/a through <= 7.7.17.
Explanation of Vulnerability in Simple Terms
02Summary
The Post Grid plugin for WordPress contains a code injection vulnerability affecting versions up to 7.7.17. An authenticated attacker with low privileges can inject and execute arbitrary code on the site, potentially compromising the entire WordPress installation. The vulnerability requires network access but no user interaction. Site administrators should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Run arbitrary code on the WordPress site with the privileges of the authenticated user.
Potential impact on your site
04Site Impact
An attacker with a low-privilege account can execute code, read/modify data, or take over the site.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress account with low-level privileges (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
March 27, 2025
CVE published
April 28, 2026
Record updated