CVE-2023-2278

Name of the Vulnerable Software and Affected Versions WP Directory Kit plugin for WordPress versions up to, and including, 1.1.9

Description The issue allows unauthenticated attackers to include and execute arbitrary files on the server via the wdk public action function. This enables the execution of any PHP code in those files, which can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Recommendations For WP Directory Kit plugin for WordPress versions up to, and including, 1.1.9, consider disabling the wdk public action function until a patch is available to prevent the inclusion and execution of arbitrary files. Restrict access to sensitive data and limit the upload of files to minimize the risk of exploitation.