cbcvebase.
CVE-2023-6989
published 2024-02-05

CVE-2023-6989: The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
56.57%
98.9th percentile
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

Affected

1 ranges
VendorProductVersion rangeFixed in
getshieldsecurityshield_security< 18.5.1018.5.10

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/wp-simple-firewall
commandaction=shield_action&ex=generic_render&exnonce=5a988a925a&render_action_template=../../icwp-wpsf.php
filenameicwp-wpsf.php
  • POST request to /wp-admin/admin-ajax.php with body parameters action=shield_action, ex=generic_render, and render_action_template containing path traversal sequences (../../) targeting icwp-wpsf.php indicates active LFI exploitation of CVE-2023-6989.
  • Successful exploitation returns HTTP 200 with Content-Type: application/json and body containing all three strings: 'dashboard_shield', 'shield_action', and 'search_shield'.
  • Presence of /wp-content/plugins/wp-simple-firewall in HTTP response body indicates the vulnerable Shield Security plugin is installed; use for asset discovery via Shodan/FOFA.
  • The vulnerability is exploitable by unauthenticated attackers via the render_action_template parameter, requiring no authentication or privileges.
  • ·The nonce value (exnonce=5a988a925a) used in the PoC payload is hardcoded in the Nuclei template; real-world exploitation may use different or dynamically generated nonce values, so detection rules should not rely solely on this specific nonce.
  • ·All versions up to and including 18.5.9 are vulnerable; version 18.5.10 or later is the remediated release. Detection should flag installations running <= 18.5.9.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.