CVE-2023-5199: 
WordPress vulnerability analysis and mitigation

The PHP to Page plugin for WordPress contains a Local File Inclusion vulnerability that can lead to Remote Code Execution (CVE-2023-5199) in versions up to and including 0.3. The vulnerability was discovered in October 2023 and affects the 'php-to-page' shortcode functionality (NVD).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to include local files and potentially execute code on the server. The issue received a CVSS v3.1 base score of 9.9 (Critical) from Wordfence and 8.8 (High) from NIST, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties) (NVD).

The vulnerability's impact is severe as it allows authenticated users to include local files and potentially execute arbitrary code on the server. While subscribers need to poison log files or get a file installed to achieve remote code execution, users with author-level permissions or higher can easily achieve remote code execution through their ability to upload files by default (Wordfence).

Users should immediately update their PHP to Page plugin to a version newer than 0.3 if available, or consider removing the plugin entirely if updates are not available. Additionally, reviewing and restricting user roles and permissions can help mitigate the risk (NVD).