CVE-2023-5099: 
WordPress vulnerability analysis and mitigation

The HTML filter and csv-file search plugin for WordPress (versions up to 2.7) contains a Local File Inclusion vulnerability identified as CVE-2023-5099. The vulnerability was discovered in October 2023 and affects the 'src' attribute of the 'csvsearch' shortcode, allowing authenticated attackers with contributor-level permissions or higher to include and execute arbitrary files on the server (Wordfence Intel).

The vulnerability stems from improper sanitization and validation of the 'src' attribute in the 'csvsearch' shortcode. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties) (WPScan).

When exploited, this vulnerability allows attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code contained in those files. This can result in bypassing access controls, obtaining sensitive data, or achieving code execution in cases where images and other "safe" file types can be uploaded and included (NVD).

A patch has been released in version 2.8 of the plugin. Users are advised to update to this version or later to mitigate the vulnerability (WordPress Plugins).