CVE-2025-30814 HIGH

CVE-2025-30814: WordPress The Post Grid plugin <= 7.7.17 - Local File Inclusion vulnerability

Vendor Radiustheme
Product The Post Grid
Weakness CWE-98 · PHP file inclusion
Published March 27, 2025
Last update April 28, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme The Post Grid the-post-grid allows PHP Local File Inclusion.This issue affects The Post Grid: from n/a through <= 7.7.17.

Explanation of Vulnerability in Simple Terms

02Summary

The Post Grid plugin for WordPress contains a code injection vulnerability affecting versions up to 7.7.17. An authenticated attacker with low privileges can inject and execute arbitrary code on the site, potentially compromising the entire WordPress installation. The vulnerability requires network access but no user interaction. Site administrators should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the WordPress site with the privileges of the authenticated user.

Potential impact on your site

04Site Impact

An attacker with a low-privilege account can execute code, read/modify data, or take over the site.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress account with low-level privileges (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

March 27, 2025 CVE published
April 28, 2026 Record updated