GCVE - cpe:2.3:a:wpwax:post_grid\,_slider_\&_carousel

Approved changes feed: RSS · Atom

cpe:2.3:a:wpwax:post_grid\,_slider_\&_carousel_ultimate:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Wpwax (`29e8d6fe-c9fa-59bf-8dd1-08817559bd7a`)
Product	Post Grid, Slider & Carousel Ultimate (`f9774af2-7bae-5ba0-84a6-062100ca417e`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-24782`	vulnerable	2026-06-03 14:59:56.898945	WordPress Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin <= 1.6.10 - Local File Inclusion vulnerability MEDIUM (6.5) Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate post-grid-carousel-ultimate allows PHP Local File Inclusion.This issue affects Post Grid, Slider & Carousel Ultimate: from n/a through <= 1.6.10. Published: 2025-01-27T14:22:19.820Z Updated: 2026-05-11T23:21:06.943Z Open on db.gcve.eu Reference links https://patchstack.com/database/Wordpress/Plugin/post-grid-carousel-ultimate/vulnerability/wordpress-post-grid-slider-carousel-ultimate-with-shortcode-gutenberg-block-elementor-widget-plugin-1-6-10-local-file-inclusion-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-2006`	vulnerable	2026-06-03 14:55:28.127968	Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.7 - Authenticated (Contributor+) PHP Object Injection in outpost_shortcode_metabox_markup HIGH (8.8) The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpost_shortcode_metabox_markup function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Published: 2024-03-13T15:27:04.179Z Updated: 2026-04-08T17:06:07.519Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/8cf1b234-862b-41a0-ab63-a986f8023613?source=cve https://plugins.trac.wordpress.org/browser/post-grid-carousel-ultimate/trunk/includes/classes/metabox.php#L43 https://plugins.trac.wordpress.org/changeset?old_path=/post-grid-carousel-ultimate/tags/1.6.7&old=3045923&new_path=/post-grid-carousel-ultimate/tags/1.6.8&new=3045923&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-29925`	vulnerable	2026-06-03 14:55:27.677721	WordPress Post Grid, Slider & Carousel Ultimate plugin <= 1.6.6 - Cross Site Scripting (XSS) vulnerability MEDIUM (6.5) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate allows Stored XSS.This issue affects Post Grid, Slider & Carousel Ultimate: from n/a through 1.6.6. Published: 2024-03-27T07:26:09.835Z Updated: 2026-04-28T16:09:20.453Z Open on db.gcve.eu Reference links https://patchstack.com/database/vulnerability/post-grid-carousel-ultimate/wordpress-post-grid-slider-carousel-ultimate-plugin-1-6-6-cross-site-scripting-xss-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-13409`	vulnerable	2026-06-03 14:54:24.576287	Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler() HIGH (7.5) The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' parameter of the post_type_ajax_handler() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Published: 2025-01-24T11:07:30.708Z Updated: 2026-04-08T16:46:31.117Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/38672a45-b7a7-445f-9e77-7050df6920fa?source=cve https://plugins.trac.wordpress.org/browser/post-grid-carousel-ultimate/tags/1.6.10/includes/classes/ajax.php https://ja.wordpress.org/plugins/post-grid-carousel-ultimate/ https://plugins.trac.wordpress.org/changeset/3227281/post-grid-carousel-ultimate/tags/1.7/includes/classes/ajax.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-1266`	vulnerable	2026-06-03 14:45:58.393792	Post Grid, Slider & Carousel Ultimate < 1.5.0 - Admin+ Stored XSS The Post Grid, Slider & Carousel Ultimate WordPress plugin before 1.5.0 does not sanitise and escape the Header Title, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Published: 2022-06-20T10:25:48.000Z Updated: 2024-08-02T23:55:24.438Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/7800d583-fcfc-4360-9dc3-af3f73e12ab4	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Post Grid, Slider & Carousel Ultimate

PURL mappings

Vulnerability references

Contribute