CVE-2023-2435 HIGH

CVE-2023-2435: Blog-in-Blog <= 2.0.0 - Authenticated (Editor+) Local File Inclusion via Shortcode

Vendor Timhodson

Product Blog-in-Blog

Weakness CWE-22 · Path traversal

Published May 31, 2023

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Blog-in-Blog plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.0 via a shortcode attribute. This allows editor-level, and above, attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Key dates

02Disclosure timeline

May 31, 2023 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-2435 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/22.html

Related vulnerabilities

CVE-2023-2435: Blog-in-Blog <= 2.0.0 - Authenticated (Editor+) Local File Inclusion via Shortcode

01Description

02Disclosure timeline

03References

04Related CVE