Cyber Resilience

CVE-2023-5815

High

Published: 22 November 2023

Published
22 November 2023
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4916 97.8th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5815 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Infornweb News \& Blog Designer Pack. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The News & Blog Designer Pack WordPress plugin is affected by a remote code execution vulnerability via local file inclusion in all versions through 3.4.1. The flaw resides in the bdp_get_more_post function, which is exposed through a nopriv AJAX hook; it unsafely applies extract() to values supplied in the POST body and then passes attacker-controlled input directly to include(), enabling arbitrary PHP file inclusion.

Unauthenticated remote attackers can exploit the issue over the network by submitting crafted AJAX requests that cause the server to load and execute chosen PHP files. On Docker deployments with writable web roots, an attacker may first write a malicious PHP file and subsequently include it to obtain code execution, resulting in full compromise of the confidentiality, integrity, and availability of the affected site.

The referenced WordPress plugin changeset and Wordfence advisory document that the unsafe extract() and include() pattern has been corrected in the 3.4.2 release; site administrators are advised to update the plugin immediately and to review server configurations that permit arbitrary file writes.

The EPSS score has reached 0.4916 with no reported rise from a lower baseline after disclosure.

EU & UK References

Vulnerability details

The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in…

more

all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() function. This makes it possible for unauthenticated attackers to include arbitrary PHP files and achieve remote code execution. On vulnerable Docker configurations it may be possible for an attacker to create a PHP file and then subsequently include it to achieve RCE.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

infornweb
news \& blog designer pack
≤ 3.4.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References