Local File Inclusion in Blog-in-Blog Plugin for WordPress
CVE-2023-2435

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Blog-in-Blog
Vendor: CVE Published:; 31 May 2023

Summary

The Blog-in-Blog plugin for WordPress is susceptible to Local File Inclusion vulnerabilities due to its handling of shortcode attributes. Attackers with editor-level access can exploit this flaw to include and execute arbitrary server-side files. This exploitation could lead to unauthorized access, code execution, and data exposure, particularly if malicious files are uploaded under the guise of safe formats. It is crucial for users and administrators to patch their installations to mitigate these security risks.

Affected Version(s)

Blog-in-Blog * <= 1.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/blog-in-blog/t...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 31, 2023
Vulnerability Reserved
May 1, 2023

Credit

Lana Codes