Wordfence team uncovered a critical vulnerability within Shield Security, a widely trusted WordPress plugin boasting over 50,000 active installations. This discovery is attributed to the keen observation of a researcher known as hir0ot, through the Wordfence Bug Bounty Program.
Tracked as CVE-2023-6989 (CVSS 9.8), this vulnerability is described as Local File Inclusion (LFI). In essence, this flaw allowed for the inclusion of PHP files on a server by an unauthenticated attacker, potentially leading to the execution of arbitrary PHP code. This specific breach, however, was nuanced in its threat, limited only to the inclusion of PHP files, which could be leveraged by an attacker capable of uploading PHP files without direct access to execute them.
“This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files,” reads the Wordfence advisory.
Shield Security stands as a bastion for WordPress site defense, offering features like a firewall, malware scanner, and activity logs. However, its template management system, which processes .twig, .php, or .html files, became the root cause of vulnerability. The lack of file path sanitization within its rendering functions opened the door to arbitrary file inclusion.
While CVE-2023-6989’s scope was limited to PHP files, thereby sidestepping popular remote code execution methods like log file poisoning, it nonetheless represented a significant risk. Attackers, through a series of sophisticated maneuvers, could exploit this vulnerability by chaining attacks with other plugin vulnerabilities, illustrating the intricate web of dependencies and risks in plugin ecosystems.
In response to this discovery, an urgent call to action has been issued to all users of Shield Security: update to the latest patched version, 18.5.10, without delay.
