WordPress Plugin Vulnerabilities

News & Blog Designer Pack – WordPress Blog Plugin < 3.4.2 - Unauthenticated Remote Code Execution via Local File Inclusion

Description

The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() function. This makes it possible for unauthenticated attackers to include arbitrary PHP files and achieve remote code execution. On vulnerable Docker configurations it may be possible for an attacker to create a PHP file and then subsequently include it to achieve RCE.

Affects Plugins

Plugin icon
blog-designer-pack
Fixed in 3.4.2

References

CVE
CVE-2023-5815
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2bdf11-401a-48af-b1dc-aeeb40b9a384

Classification

Type
RFI
OWASP top 10
A1: Injection
CWE
CWE-98
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Florian Hauser
Verified
No
WPVDB ID
3e7b0755-f1ff-4187-8ea1-93c76b747fe0

Timeline

Publicly Published
2023-10-26 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-05-16
Title
FAT Services Booking <= 5.5 - Authenticated (Contributor+) Local File Inclusion
Published
2026-02-27
Title
Coleo <= 1.1.7 - Unauthenticated Local File Inclusion
Published
2024-03-13
Title
Premmerce Permalink Manager for WooCommerce < 2.3.11 - Unauthenticated Local File Inclusion
Published
2025-09-02
Title
Smash <= 1.7 - Unauthenticated Local File Inclusion
Published
2026-02-25
Title
The Issue < 1.6.12 - Unauthenticated Local File Inclusion