CVE-2021-24825

Name of the Vulnerable Software and Affected Versions Custom Content Shortcode WordPress plugin versions prior to 4.0.2

Description The issue allows users with certain privileges to display arbitrary files from the filesystem, such as logs or .htaccess files, and perform Local File Inclusion attacks, which can lead to the execution of PHP files. This can be exploited by Contributor+ users in versions prior to 4.0.1 and by Admin+ users in versions prior to 4.0.2. In single site blogs, Admin+ users can still exploit this issue by default, unless the unfiltered html or file edit capabilities are disallowed.

Recommendations For versions prior to 4.0.2, update to version 4.0.2 or later to resolve the issue. As a temporary workaround, consider restricting the load shortcode to minimize the risk of exploitation. Restrict access to sensitive files and directories to prevent unauthorized access. Disallow the unfiltered html and file edit capabilities for non-admin users to reduce the attack surface.