CVE-2023-6989— Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 - Unauthenticated Local File Inclusion
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-6989
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 - Unauthenticated Local File Inclusion
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
PHP程序中Include/Require语句包含文件控制不恰当(PHP远程文件包含)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin Shield Security 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Shield Security 18.5.9 版本及之前版本存在安全漏洞,该漏洞源于通过 render_action_template 参数受到本地文件包含的影响。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| paultgoodchild | Shield Security – Smart Bot Blocking & Intrusion Prevention Security | * ~ 18.5.9 | - |
II. Public POCs for CVE-2023-6989
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | The Shield Security Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-6989.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-6989
请登录查看更多情报信息。
IV. Related Vulnerabilities
- CVE-2026-0722
Shield Security <= 21.0.8 - Cross-Site Request Forgery to SQ - CVE-2026-0561
Shield Security <= 21.0.8 - Unauthenticated Reflected Cross- - CVE-2025-14427
Shield Security: Blocks Bots, Protects Users, and Prevents S - CVE-2025-15370
Shield Security <= 21.0.9 - Authenticated (Subscriber+) Inse - CVE-2024-4344
Shield Security – Smart Bot Blocking & Intrusion Prevention
Same vendor: paultgoodchild
- CVE-2026-0722
Shield Security <= 21.0.8 - Cross-Site Request Forgery to SQ - CVE-2026-0561
Shield Security <= 21.0.8 - Unauthenticated Reflected Cross- - CVE-2025-14427
Shield Security: Blocks Bots, Protects Users, and Prevents S - CVE-2025-15370
Shield Security <= 21.0.9 - Authenticated (Subscriber+) Inse - CVE-2024-13742
iControlWP – Multiple WordPress Site Manager <= 4.4.5 - Unau
Same weakness: CWE-98
- CVE-2022-50954
WordPress Plugin cab-fare-calculator 1.0.3 Local File Inclus - CVE-2026-8208
Gibbon<30.0.01本地文件包含致RCE - CVE-2026-41228
Froxlor has Local File Inclusion via path traversal in API ` - CVE-2026-1620
Livemesh Addons by Elementor <= 9.0 - Authenticated (Contrib - CVE-2026-39387
BoidCMS: Local File Inclusion (LFI) leads to Remote Code Exe
V. Comments for CVE-2023-6989
No comments yet