CVE-2023-6989: 
WordPress vulnerability analysis and mitigation

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress was found to contain a critical Local File Inclusion (LFI) vulnerability, identified as CVE-2023-6989. The vulnerability affects all versions up to and including 18.5.9 and was discovered by researcher hir0ot through the Wordfence Bug Bounty Program. This security flaw impacts over 50,000 active WordPress installations (Security Online, NVD).

The vulnerability stems from improper file path sanitization within the plugin's template management system, specifically in the render_action_template parameter. The flaw received a Critical CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating its severe nature. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability allows unauthenticated attackers to include and execute PHP files on the server, potentially leading to the execution of arbitrary PHP code. While the scope is limited to PHP file inclusion, it presents a significant risk, especially when combined with other plugin vulnerabilities (Security Online).

Users of the Shield Security plugin are strongly advised to update to version 18.5.10 or later, which contains the patch for this vulnerability (Security Online).