CVE-2023-5815: 
WordPress vulnerability analysis and mitigation

The News & Blog Designer Pack WordPress plugin contains a critical Remote Code Execution (RCE) vulnerability tracked as CVE-2023-5815. The vulnerability affects all versions up to and including 3.4.1, allowing unauthenticated attackers to execute arbitrary code via Local File Inclusion through the bdpgetmore_post function. The vulnerability was discovered in October 2023 and affects over 30,000 WordPress installations (Security Online, NVD).

The vulnerability exists in the bdpgetmore_post function which is hooked via a nopriv AJAX action. The function utilizes an unsafe extract() method to extract values from the POST variable and passes that input to the include() function. This implementation makes it possible for unauthenticated attackers to include arbitrary PHP files and achieve remote code execution. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST and 8.1 (HIGH) from Wordfence, indicating its severe nature (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable websites. On vulnerable Docker configurations, attackers can create and subsequently include PHP files to achieve remote code execution, potentially leading to complete server compromise. With over 30,000 active installations, the impact of this vulnerability is significant (Security Online).

Users are strongly advised to update to version 3.4.2 of the News & Blog Designer Pack plugin, which contains the security fix. If immediate update is not possible, it is recommended to disable the plugin until it can be updated (Security Online).