Description
The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/0805ed7e-395d-48de-b484-6c3ec1cd4b8e
Scores
CVSS v3
8.8
EPSS
0.1276
EPSS Percentile
94.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
Status
published
Products (1)
nicdark/nd_shortcodes
< 7.0
Published
Jul 04, 2023
Tracked Since
Feb 18, 2026