CVE-2023-1273

Name of the Vulnerable Software and Affected Versions ND Shortcodes WordPress plugin versions prior to 7.0

Description The issue is related to the incorrect validation of some shortcode attributes, which are used to generate paths passed to include functions. This allows any authenticated users, such as subscribers, to perform Local File Inclusion (LFI) attacks. The vulnerability can be exploited by a remote attacker.

Recommendations For versions prior to 7.0, update to version 7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the include functions that use the unvalidated shortcode attributes until a patch is available.