CVE-2025-24733 identifies a Local File Inclusion (LFI) vulnerability in the Post Grid Master WordPress plugin developed by Akhtarujjaman Shuvo, specifically within the ajax-filter-posts feature. The vulnerability stems from improper validation and control of filenames used in PHP include or require statements, which allows an attacker to manipulate the filename parameter to include arbitrary local files from the server. This can lead to unauthorized disclosure of sensitive files such as configuration files, password files, or application source code. In some cases, LFI vulnerabilities can be escalated to remote code execution if attackers can include files containing malicious code or leverage log poisoning techniques. The affected versions include all releases up to and including 3.4.12. The vulnerability was publicly disclosed on January 24, 2025, but no CVSS score or public exploit code is currently available. The lack of patch links indicates that a fix may not yet be released, increasing the risk for users of this plugin. Since Post Grid Master is a WordPress plugin, the vulnerability primarily affects websites running this plugin, exposing them to potential compromise if the ajax-filter-posts endpoint is accessible and not properly secured. The vulnerability does not require authentication or user interaction, making it easier for remote attackers to exploit. The absence of a CVSS score necessitates a severity assessment based on the nature of the vulnerability and its potential impact.

The impact of CVE-2025-24733 can be significant for organizations using the Post Grid Master plugin on their WordPress sites. Successful exploitation allows attackers to read arbitrary files on the web server, potentially exposing sensitive information such as database credentials, configuration files, or private keys. This can lead to further attacks including privilege escalation, data theft, or complete server compromise. If attackers can leverage the LFI to execute arbitrary code, the impact escalates to full system takeover. The vulnerability affects the confidentiality and integrity of data and may also impact availability if the attacker disrupts normal operations. Since WordPress powers a large portion of websites globally, and Post Grid Master is a popular plugin, the scope of affected systems is broad. The ease of exploitation without authentication increases the risk of automated scanning and mass exploitation attempts. Organizations with public-facing WordPress sites using this plugin are particularly vulnerable, especially those lacking proper web application firewalls or input validation controls.

To mitigate CVE-2025-24733, organizations should immediately check if they use the Post Grid Master plugin and identify the version in use. Until an official patch is released, apply the following specific measures: 1) Restrict access to the ajax-filter-posts endpoint using web server rules or security plugins to limit exposure to trusted users or IP addresses. 2) Implement strict input validation and sanitization on all parameters that influence file inclusion, ensuring only expected filenames or whitelisted values are accepted. 3) Disable or remove the vulnerable plugin if it is not essential to reduce the attack surface. 4) Monitor web server logs for suspicious requests attempting directory traversal or unusual file inclusion patterns. 5) Deploy a Web Application Firewall (WAF) with rules to detect and block LFI attack attempts. 6) Once a patch is available from the vendor, apply it promptly and test the environment for residual vulnerabilities. 7) Educate development and security teams about secure coding practices to prevent similar vulnerabilities in custom plugins or themes.