PT-2023-19527 · WordPress · Blog-In-Blog
István Márton
+1
·
Published
2023-05-31
·
Updated
2023-06-06
·
CVE-2023-2435
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Blog-in-Blog plugin for WordPress versions up to, and including, 1.1.1
Description
The issue allows editor-level and above attackers to include and execute arbitrary files on the server via a shortcode attribute, potentially bypassing access controls, obtaining sensitive data, or achieving code execution. This can be particularly problematic in scenarios where images and other supposedly "safe" file types can be uploaded and included.
Recommendations
For Blog-in-Blog plugin for WordPress versions up to, and including, 1.1.1, update to a version that fixes this issue to prevent the inclusion and execution of arbitrary files on the server.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Blog-In-Blog