What is CVE-2023-5815?

CVE-2023-5815 is a vulnerability in the News & Blog Designer Pack - WordPress Blog Plugin that allows for remote code execution via local file inclusion.

What is the severity of CVE-2023-5815?

CVE-2023-5815 has a severity level of critical.

How does CVE-2023-5815 affect Infornweb News & Blog Designer Pack?

CVE-2023-5815 affects all versions of the Infornweb News & Blog Designer Pack plugin up to and including version 3.4.1.

How can I fix CVE-2023-5815?

To fix CVE-2023-5815, it is recommended to update the News & Blog Designer Pack plugin to the latest version.

Where can I find more information about CVE-2023-5815?

More information about CVE-2023-5815 can be found at the following references: [Reference 1](https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2bdf11-401a-48af-b1dc-aeeb40b9a384?source=cve), [Reference 2](https://wordpress.org/plugins/blog-designer-pack/), [Reference 3](https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2984052%40blog-designer-pack&new=2984052%40blog-designer-pack&sfp_email=&sfph_mail=).

Vulnerability/
CVE-2023-5815

critical

9.8

CWE

EPSS

0.322%

22/11/2023

2/8/2024

CVE-2023-5815

First published: Wed Nov 22 2023(Updated: )

The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() function. This makes it possible for unauthenticated attackers to include arbitrary PHP files and achieve remote code execution. On vulnerable Docker configurations it may be possible for an attacker to create a PHP file and then subsequently include it to achieve RCE.

Credit: security@wordfence.com

Affected Software	Affected Version	How to fix
Infornweb News & Blog Designer Pack	<=3.4.1

Remedy

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2984052%40blog-designer-pack&new=2984052%40blog-designer-pack&sfp_email=&sfph_mail=

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-5815?
CVE-2023-5815 is a vulnerability in the News & Blog Designer Pack - WordPress Blog Plugin that allows for remote code execution via local file inclusion.
What is the severity of CVE-2023-5815?
CVE-2023-5815 has a severity level of critical.
How does CVE-2023-5815 affect Infornweb News & Blog Designer Pack?
CVE-2023-5815 affects all versions of the Infornweb News & Blog Designer Pack plugin up to and including version 3.4.1.
How can I fix CVE-2023-5815?
To fix CVE-2023-5815, it is recommended to update the News & Blog Designer Pack plugin to the latest version.
Where can I find more information about CVE-2023-5815?
More information about CVE-2023-5815 can be found at the following references: [Reference 1](https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2bdf11-401a-48af-b1dc-aeeb40b9a384?source=cve), [Reference 2](https://wordpress.org/plugins/blog-designer-pack/), [Reference 3](https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2984052%40blog-designer-pack&new=2984052%40blog-designer-pack&sfp_email=&sfph_mail=).

agent/references
agent/type
agent/event
agent/first-publish-date
agent/softwarecombine
agent/remedy
agent/weakness
agent/author
agent/severity
collector/epss-latest
source/FIRST
agent/description
agent/epss
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
collector/nvd-api
agent/software-canonical-lookup-request
vendor/infornweb
canonical/infornweb news & blog designer pack
version/infornweb news & blog designer pack/3.4.1