CVE-2026-57798 HIGH

CVE-2026-57798: WordPress NewsPlus Shortcodes plugin <= 4.2.0 - Local File Inclusion vulnerability

Vendor Saurabhsharma
Product NewsPlus Shortcodes
Weakness CWE-98 · PHP file inclusion
Published July 13, 2026
Last update July 13, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SaurabhSharma NewsPlus Shortcodes newsplus-shortcodes allows PHP Local File Inclusion.This issue affects NewsPlus Shortcodes: from n/a through <= 4.2.0.

Explanation of Vulnerability in Simple Terms

02Summary

NewsPlus Shortcodes versions 4.2.0 and earlier contain a code injection vulnerability. An authenticated user with low privileges can inject and execute arbitrary code on the site by exploiting improper input handling. This requires network access and some attack complexity, but grants full control over site data and functionality.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site, read/modify all data, and disable the site.

Potential impact on your site

04Site Impact

Complete compromise of site security, data theft, and potential malware injection.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account; no user interaction required.

Key dates

06Disclosure timeline

July 13, 2026 CVE published