CVE-2023-6989
published 2024-02-05CVE-2023-6989: The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
56.57%
98.9th percentile
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getshieldsecurity | shield_security | < 18.5.10 | 18.5.10 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=shield_action&ex=generic_render&exnonce=5a988a925a&render_action_template=../../icwp-wpsf.php↗
- →POST request to /wp-admin/admin-ajax.php with body parameters action=shield_action, ex=generic_render, and render_action_template containing path traversal sequences (../../) targeting icwp-wpsf.php indicates active LFI exploitation of CVE-2023-6989. ↗
- →Successful exploitation returns HTTP 200 with Content-Type: application/json and body containing all three strings: 'dashboard_shield', 'shield_action', and 'search_shield'. ↗
- →Presence of /wp-content/plugins/wp-simple-firewall in HTTP response body indicates the vulnerable Shield Security plugin is installed; use for asset discovery via Shodan/FOFA. ↗
- →The vulnerability is exploitable by unauthenticated attackers via the render_action_template parameter, requiring no authentication or privileges. ↗
- ·The nonce value (exnonce=5a988a925a) used in the PoC payload is hardcoded in the Nuclei template; real-world exploitation may use different or dynamically generated nonce values, so detection rules should not rely solely on this specific nonce. ↗
- ·All versions up to and including 18.5.9 are vulnerable; version 18.5.10 or later is the remediated release. Detection should flag installations running <= 18.5.9. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Shield Security Plugin up to 18.5.9 on WordPress file inclusion
vuldb·2026-04-11·CVSS 9.8
CVE-2023-6989 [CRITICAL] Shield Security Plugin up to 18.5.9 on WordPress file inclusion
A vulnerability described as critical has been identified in Shield Security Plugin up to 18.5.9 on WordPress. This impacts an unknown function. Such manipulation leads to file inclusion.
This vulnerability is documented as CVE-2023-6989. The attack requires being on the local network. There is not any exploit available.
GHSA
GHSA-72xj-cfw6-3c4q: The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up
ghsa_unreviewed·2024-02-06
CVE-2023-6989 [CRITICAL] CWE-22 GHSA-72xj-cfw6-3c4q: The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
No detection rules found.
Nuclei
Shield Security WP Plugin <= 18.5.9 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2023-6989 [CRITICAL] Shield Security WP Plugin <= 18.5.9 - Local File Inclusion
Shield Security WP Plugin <= 18.5.9 - Local File Inclusion
The Shield Security Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
Template:
id: CVE-2023-6989
info:
name: Shield Security WP Plugin <= 18.5.9 - Local File Inclusion
author: s4e-io
severity: critical
description: |
The Shield Security Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3013699%40wp-simple-firewall&new=3013699%40wp-simple-firewall&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/063826cc-7ff3-4869-9831-f6a4a4bbe74c?source=cvehttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3013699%40wp-simple-firewall&new=3013699%40wp-simple-firewall&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/063826cc-7ff3-4869-9831-f6a4a4bbe74c?source=cve
2024-02-05
Published