CVE-2023-6989
Published: 05 February 2024
Summary
CVE-2023-6989 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Getshieldsecurity Shield Security. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is affected by a local file inclusion vulnerability in all versions through 18.5.9. The flaw exists in the render_action_template parameter and is tracked as CVE-2023-6989 with associated CWEs 98 and 22; it permits an unauthenticated attacker to supply an arbitrary path that results in inclusion and execution of PHP files present on the server.
An attacker with no credentials can send a crafted request over the network to trigger the inclusion, achieving arbitrary PHP code execution. Successful exploitation grants full control over the web server process, enabling actions such as data exfiltration, modification of site content, or installation of persistent backdoors, consistent with the CVSS 9.8 rating reflecting network-accessible attack with high impact on confidentiality, integrity, and availability.
References point to a fix committed in WordPress plugin changeset 3013699. The corresponding plugin update resolves the parameter handling issue, and Wordfence advisory material directs administrators to upgrade beyond version 18.5.9.
The CVE carries an EPSS score that has reached a peak of 0.6979.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-59181
Vulnerability details
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to…
more
include and execute PHP files on the server, allowing the execution of any PHP code in those files.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.