Shield Security – Smart Bot Blocking & Intrusion Prevention Security < 18.5.10 – Unauthenticated Local File Inclusion | CVE 2023-6989 | Plugin Vulnerabilities

Description

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

Affects Plugins

wp-simple-firewall

Fixed in 18.5.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/063826cc-7ff3-4869-9831-f6a4a4bbe74c

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

hir0ot

Verified

No

WPVDB ID

a485aee7-39a0-418c-9699-9afc53e28f55

Timeline

Publicly Published

2024-02-05 (about 1 year ago)

Added

2024-02-06 (about 1 year ago)

Last Updated

2024-02-06 (about 1 year ago)

Other

Published

Title

Published

2023-12-28

Title

Product Feed Manager < 7.3.16 - Authenticated (Admin+) Directory Traversal

Published

2015-07-14

Title

Subscribe to Comments < 2.3 - Authenticated Local File Inclusion

Published

2025-05-14

Title

File Manager Advanced Shortcode <= Multiple Versions - Authenticated (Administrator+) Local JavaScript File Inclusion via Shortcode

Published

2025-02-02

Title

Plugin A/B Image Optimizer <= 3.3 - Authenticated (Subscriber+) Arbitrary File Download

Published

2025-10-24

Title

Creta Testimonial Showcase < 1.2.4 - Editor+ Local File Inclusion