CVE-2023-5815

Name of the Vulnerable Software and Affected Versions The News & Blog Designer Pack – WordPress Blog Plugin versions up to, and including, 3.4.1

Description The issue is related to Remote Code Execution via Local File Inclusion. This is due to the bdp get more post function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() function. This makes it possible for unauthenticated attackers to include arbitrary PHP files and achieve remote code execution. On vulnerable Docker configurations, it may be possible for an attacker to create a PHP file and then subsequently include it to achieve RCE. Approximately 30,000 sites are at risk.

Recommendations For versions up to, and including, 3.4.1, update to a version that fixes the bdp get more post function to prevent the use of the unsafe extract() method. As a temporary workaround, consider disabling the bdp get more post function hooked via a nopriv AJAX until a patch is available. Restrict access to the include() function to minimize the risk of exploitation. Avoid using the POST variable in the affected AJAX endpoint until the issue is resolved.