CVE-2023-6295

EUVD-2023-58537
The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Affected Products (NVD)
VendorProductVersion
siteoriginsiteorigin_widgets_bundle
𝑥
< 1.51.0
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/adc9ed9f-55b4-43a9-a79d-c7120764f47c
https://wpscan.com/vulnerability/adc9ed9f-55b4-43a9-a79d-c7120764f47c