CVE-2023-1273: 
WordPress vulnerability analysis and mitigation

The ND Shortcodes WordPress plugin (versions before 7.0) contains a Local File Inclusion (LFI) vulnerability, identified as CVE-2023-1273. The vulnerability was discovered and publicly disclosed on June 12, 2023. This security flaw affects the plugin's shortcode functionality and impacts WordPress installations using the vulnerable versions of the ND Shortcodes plugin (WPScan).

The vulnerability stems from improper validation of shortcode attributes before they are used to generate paths that are passed to include functions. The vulnerability has been assigned a CVSS score of 7.5 (High), and is classified under CWE-22. The flaw falls under the OWASP Top 10 category A1: Injection (WPScan).

This vulnerability allows any authenticated users, including those with minimal privileges such as subscribers, to perform Local File Inclusion (LFI) attacks. This means attackers could potentially access and read sensitive files on the server that they shouldn't have access to (WPScan).

The vulnerability has been fixed in version 7.0 of the ND Shortcodes plugin. Website administrators running affected versions should update to version 7.0 or later immediately to mitigate this security risk (WPScan).