CVE-2025-24782 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in PHP, commonly referred to as a Remote File Inclusion (RFI) vulnerability. It affects the wpWax Post Grid, Slider & Carousel Ultimate WordPress plugin, specifically versions up to and including 1.6.10. The vulnerability stems from insufficient validation or sanitization of user-supplied input used in PHP include or require statements. This flaw allows an attacker to manipulate the filename parameter to include remote or local files, which the PHP interpreter then executes. This can lead to remote code execution on the web server hosting the vulnerable plugin. The vulnerability is particularly dangerous because it does not require authentication or user interaction, making it exploitable by any remote attacker who can send crafted requests to the affected WordPress site. Although no known public exploits have been reported yet, the nature of RFI vulnerabilities historically leads to rapid exploitation once disclosed. The plugin is widely used for displaying post grids, sliders, and carousels on WordPress sites, which are popular globally. The vulnerability affects the confidentiality, integrity, and availability of affected systems, as attackers can execute arbitrary code, potentially leading to data theft, defacement, or full server compromise. The vulnerability was published on January 27, 2025, but no CVSS score has been assigned yet. The lack of a patch link indicates that a fix may not be available at the time of disclosure, increasing the urgency for mitigation.

The impact of CVE-2025-24782 is significant for organizations running WordPress sites with the vulnerable wpWax plugin. Successful exploitation allows attackers to execute arbitrary PHP code remotely, potentially leading to full server compromise. This can result in unauthorized data access, data modification or deletion, website defacement, deployment of malware or ransomware, and use of the compromised server as a pivot point for further attacks within the network. E-commerce sites, media outlets, and any organizations relying on WordPress for critical web presence are at risk of reputational damage, financial loss, and regulatory penalties due to data breaches. The vulnerability's ease of exploitation without authentication increases the likelihood of automated scanning and exploitation attempts by threat actors. Organizations with inadequate monitoring and incident response capabilities may suffer prolonged undetected breaches. The absence of a patch at disclosure time further exacerbates the risk, forcing reliance on temporary mitigations.

1. Immediately monitor for any unusual or suspicious requests targeting the plugin's endpoints, especially those attempting to manipulate include or require parameters. 2. Disable remote file inclusion in PHP by setting 'allow_url_include=Off' and 'allow_url_fopen=Off' in the php.ini configuration to reduce risk. 3. Apply strict input validation and sanitization on any user-supplied parameters that influence file inclusion, using whitelisting approaches where possible. 4. Temporarily disable or remove the wpWax Post Grid, Slider & Carousel Ultimate plugin if a patch is not yet available and the plugin is not critical to operations. 5. Keep WordPress core, themes, and all plugins updated; apply the official patch from the vendor as soon as it is released. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit file inclusion vulnerabilities. 7. Conduct regular security audits and vulnerability scans to identify and remediate similar issues proactively. 8. Implement least privilege principles on the web server to limit the impact of potential code execution. 9. Maintain comprehensive backups and an incident response plan to recover quickly in case of compromise.