Wordfence received a submission for a Local File Inclusion vulnerability in Shield Security, a WordPress plugin with more than 50,000+ active installations, as part of their bug bounty program. It’s important to note that this vulnerability is limited to just the inclusion of PHP files, however, it could be leveraged by an attacker who has the ability to upload PHP files but can not directly access those files to execute.
Props to hir0ot who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $938.00 for this discovery during our Bug Bounty Program Extravaganza.
All Wordfence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Directory Traversal and Local File Inclusion protection.
Wordfence contacted the Shield Security Team on December 21, 2023, and received a response on December 23, 2023. After providing full disclosure details, the developer released a patch on December 23, 2023. We would like to commend the Shield Security Team for their prompt response and timely patch, which was released on the same day.
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
We urge users to update their sites with the latest patched version of Shield Security, which is version 18.5.10, as soon as possible.