Remote Content Shortcode <= 1.5 – Authenticated(Contributor+) Local File Inclusion via shortcode | CVE 2023-45652 | Plugin Vulnerabilities

Description

The Remote Content Shortcode plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.5 via the plugin's shortcode. This allows authenticated attackers with contributor-level privileges and above to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included

Affects Plugins

remote-content-shortcode

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d1568e8d-9ea5-4673-a657-03e89cfb6000

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Verified

No

WPVDB ID

cf4c0bd8-8ab6-437e-a0dc-22839da0e15a

Timeline

Publicly Published

2023-10-12 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-11 (about 2 years ago)

Other

Published

Title

Published

2020-10-29

Title

WordPress < 5.5.2 - Protected Meta That Could Lead to Arbitrary File Deletion

Published

2022-01-26

Title

LearnPress < 4.1.5 - Arbitrary Image Renaming

Published

2024-12-20

Title

Easy Digital Downloads < 3.3.3 - Authenticated (Admin+) Arbitrary File Download

Published

2025-10-07

Title

Motors – Car Dealership & Classified Listings Plugin < 1.4.90 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2025-09-10

Title

Propovoice < 1.7.7 - Unauthenticated Arbitrary File Read