The plugin does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file capability.
As a contributor, put the shortcode below in a post and preview it [comment template="/../../../license.txt"] Assuming the blog is at /var/www/wordpress/, /etc/passwd can be accessed with [comment template="/../../../../../../etc/passwd"] If the attacker can upload any file, such as an image containing PHP code in the comment, RCE could be achieved, example (by default, author and above can upload files): [comment template="/../../../wp-content/uploads/2023/01/malicious.jpg"]
2023-02-22 (about 2 months ago)
2023-02-22 (about 2 months ago)
2023-02-22 (about 2 months ago)