CVE-2023-6989

Name of the Vulnerable Software and Affected Versions The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress versions up to, and including, 18.5.9

Description The issue is related to Local File Inclusion, which allows an unauthenticated attacker to include and execute PHP files on the server via the render action template parameter. This enables the execution of any PHP code in those files. The vulnerability is associated with incorrect external control of the file name or path. It is estimated that over 50,000 sites are affected.

Recommendations For versions up to, and including, 18.5.9, update to a version that fixes this issue. As a temporary workaround, consider disabling the render action template parameter until a patch is available. Restrict access to the setTemplate(), renderPhp(), and path join() functions to minimize the risk of exploitation. Avoid using the render action template parameter in the affected plugin until the issue is resolved.