CVE-2023-0467: 
WordPress vulnerability analysis and mitigation

CVE-2023-0467 is a Local File Inclusion (LFI) vulnerability affecting the WordPress plugin WP Dark Mode versions below 4.0.8. The vulnerability was publicly disclosed on March 6, 2023, and has been assigned a CVSS score of 4.2 (medium severity). The issue affects the plugin's handling of the style parameter in shortcodes (WPScan).

The vulnerability stems from improper sanitization of the style parameter in shortcodes before using it to load a PHP template. This security flaw allows for Local File Inclusion on servers where non-existent directories can be traversed, or when combined with another vulnerability that enables arbitrary directory creation. The vulnerability is classified under CWE-22 and falls into the OWASP Top 10 category A1: Injection (WPScan).

When exploited, this vulnerability allows authenticated users with subscriber-level access or higher to perform Local File Inclusion attacks. This could potentially lead to unauthorized access to sensitive files on the server, particularly on Windows-based systems where directory traversal restrictions are less strict (WPScan).

The vulnerability has been patched in WP Dark Mode version 4.0.8. Website administrators running affected versions should update to version 4.0.8 or later to mitigate this security risk (WPScan).