CVE-2023-0340: 
WordPress vulnerability analysis and mitigation

CVE-2023-0340 affects the Custom Content Shortcode WordPress plugin through version 4.0.2. The vulnerability was discovered and disclosed in February 2023, impacting WordPress installations using the affected plugin versions. The issue stems from improper validation of shortcode attributes, which affects users with contributor-level permissions and above (WPScan).

The vulnerability is a Local File Inclusion (LFI) flaw that occurs due to insufficient validation of shortcode attributes. This security issue allows users with contributor privileges or higher to perform file traversal attacks to include arbitrary files. The vulnerability can be exploited through specially crafted shortcode inputs, such as using the template parameter in comment shortcodes to access files outside the intended directory structure (WPScan).

The vulnerability enables attackers to read non-PHP files and retrieve their content through directory traversal. More critically, if an attacker can upload a malicious image containing PHP code (which is possible for users with author privileges by default), they can achieve Remote Code Execution (RCE) by including the malicious file through the affected attribute (WPScan).

No direct fix was mentioned in the available sources. However, given the severity of the vulnerability, users should either remove the Custom Content Shortcode plugin or upgrade to a version newer than 4.0.2 if a patch is available (WPScan).