WordPress Plugin Vulnerabilities

Blog-in-Blog <= 1.1.1 - Editor+ Local File Inclusion via Shortcode

Description

The plugin does not validate a shortcode attribute before using it to include a template file, allowing users with an editor role or above to include arbitrary files readable by the web server, and execute them in case of php files.

Affects Plugins

Plugin icon
blog-in-blog
No known fix

References

CVE
CVE-2023-2435
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/blog-in-blog/blog-in-blog-111-authenticated-editor-local-file-inclusion-via-shortcode

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
fe671c85-b3b8-4572-978b-5ecaa3bf6879

Timeline

Publicly Published
2023-05-30 (about 2 years ago)
Added
2023-05-31 (about 2 years ago)
Last Updated
2026-01-29 (about 3 months ago)

Other

Published
Title
Published
2020-04-22
Title
Advanced Woo Search < 2.00 - SQL query leak in ajax search
Published
2014-08-01
Title
ABtest - Directory Traversal
Published
2024-10-14
Title
RS-Members <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation
Published
2025-02-24
Title
Advanced Google reCaptcha < 1.28 - Built-in Math CAPTCHA Bypass
Published
2023-11-27
Title
Restricted Site Access <= 7.4.1 - IP Spoofing to Protection Mechanism Bypass