CVE-2024-13408: 
WordPress vulnerability analysis and mitigation

The Post Grid, Slider & Carousel Ultimate plugin for WordPress (CVE-2024-13408) contains a Local File Inclusion vulnerability affecting all versions up to and including 1.6.10. The vulnerability was discovered and disclosed on January 24, 2025 (NVD).

The vulnerability exists in the 'theme' attribute of the pgcu shortcode, which can be exploited by authenticated users with Contributor-level access or higher. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (NVD, Wordfence).

The vulnerability allows attackers to include and execute arbitrary files on the server, enabling the execution of any PHP code within those files. This can lead to access control bypasses, sensitive data exposure, and potential code execution in scenarios where PHP files can be uploaded and included (NVD).

A patch has been released in version 1.7 of the plugin. Users are advised to update to this version or later to mitigate the vulnerability (WordPress Plugin).