The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
The vulnerability results from improper handling of the 'template' parameter in the plugin's AJAX module (class-nbdb-ajax.php file), which without appropriate validation allows specifying any .php file on the server. An attacker can remotely make a request pointing to a PHP file of their choice, which will then be loaded and executed by the server. In a scenario where an attacker can previously upload their own .php file to the server (e.g., through another functionality), full Remote Code Execution is possible. The vulnerability is classified as CWE-98 (improper control of filename for include/require statement).
An unauthenticated attacker can execute arbitrary PHP code on the server, bypass access control mechanisms, gain access to sensitive data, or take complete control of the server hosting the WordPress website.
The 'News and Blog Designer Bundle' plugin should be updated immediately to a version higher than 1.1. If an update is not yet available, the plugin should be deactivated or removed, and PHP file uploads to the server should be restricted. Detailed information is available in the vendor references and Wordfence database.
WordPress plugin 'News and Blog Designer Bundle' in all versions up to and including 1.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H