CVE-2026-57798 in NewsPlus Shortcodes Plugininfo

Summary

by MITRE • 07/13/2026

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SaurabhSharma NewsPlus Shortcodes newsplus-shortcodes allows PHP Local File Inclusion.This issue affects NewsPlus Shortcodes: from n/a through <= 4.2.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

The vulnerability described represents a critical improper control of filename for include/require statements in PHP programs, commonly known as PHP Remote File Inclusion or Local File Inclusion. This flaw exists within the SaurabhSharma NewsPlus Shortcodes plugin where user-controllable input is directly used in include or require functions without proper validation or sanitization. The vulnerability allows attackers to manipulate the filename parameter passed to these PHP directives, potentially enabling arbitrary code execution or unauthorized access to sensitive files on the server.

This security weakness falls under CWE-98, which specifically addresses Improper Control of Filename for Include/Require Statement in PHP Program, and is closely related to CWE-22, Improper Limitation of a Pathname to a Restricted Directory. The vulnerability operates by allowing an attacker to inject malicious file paths into the include/require statements, which then get executed within the context of the web application. In the case of NewsPlus Shortcodes version 4.2.0 and earlier, this flaw enables PHP Local File Inclusion attacks that can be exploited through various attack vectors including direct manipulation of shortcode parameters or via crafted URLs that pass malicious filenames to vulnerable include functions.

The operational impact of this vulnerability is severe and can result in complete system compromise. An attacker with knowledge of the vulnerability can potentially execute arbitrary PHP code on the target server, gain access to sensitive data, escalate privileges, or establish persistent backdoors. The attack surface is particularly concerning because it affects all versions up to and including 4.2.0, indicating a long-standing security flaw that has not been addressed in the affected plugin. This vulnerability also aligns with ATT&CK technique T1505.003 for Server Software Component and T1078 for Valid Accounts, as exploitation may lead to privilege escalation or persistence mechanisms.

Mitigation strategies should include immediate patching of the vulnerable plugin to version 4.2.1 or later where the vulnerability has been addressed through proper input validation and sanitization. Organizations should implement strict input validation controls that prevent user-supplied data from being directly used in include/require statements, instead utilizing allowlists of approved file paths or implementing proper file path normalization techniques. Additional protective measures include restricting PHP's allow_url_include directive to false, implementing web application firewalls with rules specific to blocking suspicious include patterns, and conducting regular security audits of plugin code to identify similar vulnerabilities. The remediation process should also involve monitoring for exploitation attempts and implementing proper logging mechanisms to detect unauthorized access attempts to sensitive files through this vulnerability channel.

Responsible

Patchstack

Reservation

06/25/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00496

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!