CVE-2023-6295

Name of the Vulnerable Software and Affected Versions SiteOrigin Widgets Bundle WordPress plugin versions prior to 1.51.0

Description The issue allows users with the administrator role to perform Local File Inclusion (LFI) attacks in the context of Multisite WordPress sites. This is due to the plugin not validating user input before using it to generate paths passed to include function/s.

Recommendations For versions prior to 1.51.0, update to version 1.51.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality for users with the administrator role until the update is applied.