Cyber Resilience

CVE-2023-6989

Critical

Published: 05 February 2024

Published
05 February 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6734 98.6th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6989 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Getshieldsecurity Shield Security. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is affected by a local file inclusion vulnerability in all versions through 18.5.9. The flaw exists in the render_action_template parameter and is tracked as CVE-2023-6989 with associated CWEs 98 and 22; it permits an unauthenticated attacker to supply an arbitrary path that results in inclusion and execution of PHP files present on the server.

An attacker with no credentials can send a crafted request over the network to trigger the inclusion, achieving arbitrary PHP code execution. Successful exploitation grants full control over the web server process, enabling actions such as data exfiltration, modification of site content, or installation of persistent backdoors, consistent with the CVSS 9.8 rating reflecting network-accessible attack with high impact on confidentiality, integrity, and availability.

References point to a fix committed in WordPress plugin changeset 3013699. The corresponding plugin update resolves the parameter handling issue, and Wordfence advisory material directs administrators to upgrade beyond version 18.5.9.

The CVE carries an EPSS score that has reached a peak of 0.6979.

EU & UK References

Vulnerability details

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to…

more

include and execute PHP files on the server, allowing the execution of any PHP code in those files.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

getshieldsecurity
shield security
≤ 18.5.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References