CVE-2025-15491 is a path traversal vulnerability classified under CWE-22 affecting the Post Slides WordPress plugin through version 1.0.1. The vulnerability arises because the plugin fails to properly validate certain shortcode attributes before using them to construct file paths passed to PHP include functions. This improper limitation allows authenticated users with contributor or higher privileges to craft malicious shortcode attributes that manipulate the file path, enabling local file inclusion (LFI) attacks. LFI can allow attackers to read arbitrary files on the server, potentially exposing sensitive configuration files, credentials, or other data. The vulnerability requires the attacker to be authenticated with at least contributor-level access, which is common in collaborative WordPress environments. The CVSS 3.1 base score is 5.5 (medium), reflecting network exploitability with low attack complexity but requiring privileges and no user interaction. The scope is changed due to potential impact on confidentiality and integrity, but availability is unaffected. No public exploits or patches are currently available, increasing the urgency for site administrators to monitor and apply updates once released. The vulnerability is significant because WordPress powers a large portion of the web, and plugins like Post Slides are widely used for content presentation, making affected sites attractive targets for attackers seeking to escalate privileges or access sensitive data.

The primary impact of CVE-2025-15491 is unauthorized local file inclusion, which can lead to disclosure of sensitive files such as configuration files, password stores, or other critical data on the server. This compromises confidentiality and potentially integrity if attackers use the LFI to execute arbitrary code or manipulate site content. Since exploitation requires contributor-level authentication, the threat is elevated in environments with many users having such privileges, including multi-author blogs or corporate sites. While availability is not directly impacted, the breach of confidentiality and integrity can lead to further attacks, reputational damage, and compliance violations. Organizations worldwide using the Post Slides plugin are at risk, especially those with large user bases or sensitive data hosted on WordPress. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers could develop exploits. The medium severity score reflects a moderate but actionable risk that should be addressed promptly to prevent escalation.

1. Immediately restrict contributor and higher roles from using shortcodes related to Post Slides until a patch is available. 2. Monitor and audit user activity for suspicious shortcode usage or file access patterns. 3. Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts targeting the plugin’s shortcode parameters. 4. Limit file system permissions of the web server to prevent access to sensitive files outside the web root. 5. Regularly update the Post Slides plugin as soon as a security patch is released by the vendor. 6. Consider disabling or replacing the Post Slides plugin with alternatives that have better security track records if immediate patching is not feasible. 7. Educate site administrators and content contributors about the risks of shortcode misuse and enforce least privilege principles. 8. Use security plugins that can detect anomalous file inclusion or path traversal behaviors within WordPress environments.