CVE-2025-15491 PUBLISHED

Post Slides <= 1.0.1 - Contributor+ Local File Inclusion

Assigner: WPScan
Reserved: 08.01.2026 Published: 07.02.2026 Updated: 07.02.2026

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks

Product Status

Vendor	Unknown
Product	Post Slides
Versions	Default: affected affected from 0 to 1.0.1 (incl.)

Credits

Khaled Alenazi (Nxploited) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/eb0424cc-e60c-44a5-aa24-cd1fe042b27a/

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE