CVE-2026-57798

SaurabhSharma · NewsPlus Shortcodes

The NewsPlus Shortcodes WordPress plugin is vulnerable to Local File Inclusion (LFI) due to improper control of filenames used in include/require statements.

Executive summary

A high-severity Local File Inclusion vulnerability in the NewsPlus Shortcodes WordPress plugin allows authenticated attackers to potentially execute arbitrary PHP code.

Vulnerability

This vulnerability, classified as CWE-98, occurs because the plugin fails to properly validate user-supplied input before using it in file inclusion functions. An attacker with low-level privileges can manipulate these inputs to include arbitrary local files, leading to sensitive information disclosure or remote code execution.

Business impact

Successful exploitation of this flaw could allow an attacker to read sensitive configuration files or execute arbitrary code on the underlying web server. Given the CVSS score of 7.5, this poses a significant risk to data confidentiality, integrity, and system availability. Unauthorized access to the server environment can lead to full site compromise and potential lateral movement within the network.

Remediation

Immediate Action: No patch is currently available; users should immediately deactivate and uninstall the NewsPlus Shortcodes plugin until a security update is released by the vendor.

Proactive Monitoring: Monitor server access logs for unusual file path traversal patterns (e.g., ../ strings) or requests targeting sensitive system files like wp-config.php.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences directed at the plugin’s directory.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the lack of a vendor-supplied patch, the most effective remediation is the immediate removal of the vulnerable plugin. Administrators should prioritize identifying instances of this plugin in their environment and maintain a restrictive posture until a version containing a security fix is confirmed available.