Lucene search

PRIOn knowledge basePRION:CVE-2023-2278

HistoryJun 13, 2023 - 2:15 a.m.

Design/Logic Flaw

2023-06-1302:15:00

PRIOn knowledge base

www.prio-n.com

wordpress

local file inclusion

vulnerability

unauthenticated attackers

arbitrary files

server security

php code execution

access controls

sensitive data

9.8 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.3%

JSON

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the ‘wdk_public_action’ function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CPENameOperatorVersion
wp_directory_kitlt1.2.0

CPE	Name	Operator	Version
	wp_directory_kit	lt	1.2.0

References

plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/vendor/Winter_MVC/core/mvc_loader.php

plugins.trac.wordpress.org/changeset/2904689/wpdirectorykit/trunk/vendor/Winter_MVC/core/mvc_loader.php

www.wordfence.com/threat-intel/vulnerabilities/id/87399a07-d2d8-42cd-81f0-9060f6cfff48?source=cve