Platform
wordpress
Component
wpdirectorykit
Fixed in
1.1.10
CVE-2023-2278 is a critical Local File Inclusion (LFI) vulnerability affecting the WP Directory Kit plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 1.1.9. A patch is available; upgrading is the recommended remediation.
The impact of CVE-2023-2278 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the web server. This can lead to a complete takeover of the WordPress site, including data exfiltration, modification of website content, and installation of malicious software. The attacker could potentially gain access to sensitive data stored within the WordPress database, such as user credentials, customer information, and financial data. Furthermore, the attacker could leverage the compromised server to launch attacks against other systems on the network, significantly expanding the blast radius. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution.
CVE-2023-2278 was publicly disclosed on June 13, 2023. The vulnerability is considered highly exploitable due to its unauthenticated nature and the ease with which an attacker can include arbitrary files. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk of exploitation. While no active campaigns have been definitively linked to this CVE as of this writing, the severity and ease of exploitation warrant immediate attention. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.66% (71% percentile)
CVSS Vector
The primary mitigation for CVE-2023-2278 is to upgrade the WP Directory Kit plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file upload permissions to prevent attackers from uploading malicious PHP files. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious file paths or patterns. Regularly review WordPress plugin installations and remove any unused or outdated plugins. After upgrading, verify the fix by attempting to access a non-existent PHP file through the vulnerable endpoint and confirming that access is denied.
Update the WP Directory Kit plugin to the latest available version. The vulnerability allows for Local File Inclusion, which could allow arbitrary code execution on the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-2278 is a critical Local File Inclusion (LFI) vulnerability in the WP Directory Kit plugin for WordPress versions up to 1.1.9, allowing attackers to execute arbitrary PHP code.
If you are using WP Directory Kit plugin version 1.1.9 or earlier, you are vulnerable to this LFI exploit.
Upgrade the WP Directory Kit plugin to the latest available version to patch the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting file upload permissions.
While no confirmed active campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation.
Check the WP Directory Kit plugin's official website and WordPress plugin repository for security advisories and updates related to CVE-2023-2278.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.