cve/2023/CVE-2023-6989.md

### [CVE-2023-6989](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6989)
![](https://img.shields.io/static/v1?label=Product&message=Shield%20Security%20%E2%80%93%20Smart%20Bot%20Blocking%20%26%20Intrusion%20Prevention%20Security&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=*%3C%3D%2018.5.9%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-98%20Improper%20Control%20of%20Filename%20for%20Include%2FRequire%20Statement%20in%20PHP%20Program%20('PHP%20Remote%20File%20Inclusion')&color=brighgreen)

### Description

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds