CVE-2024-6228
Received Received - Intake

Notifications for Forms & WordPress Actions Path Traversal

Vulnerability report for CVE-2024-6228, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: WPScan

Description

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Notifications for Forms & WordPress Actions (WANotifier) plugin for WordPress, versions before 2.6. It is a Local File Inclusion (LFI) flaw that allows authenticated users with subscriber-level access or higher to include and execute arbitrary local PHP files on the server.

This happens because the plugin does not properly validate or sanitize a user-supplied parameter before using it to build a server-side file inclusion path. An attacker can manipulate this parameter to perform path traversal and include malicious PHP files, leading to code execution on the server.

For example, an attacker can create a PHP file like `phpinfo.php` on the server and then send a crafted request that causes the plugin to include and execute this file, revealing sensitive server information.

Impact Analysis

This vulnerability can have serious impacts including unauthorized execution of arbitrary PHP code on the server by users with subscriber-level access or higher.

An attacker could exploit this to disclose sensitive server information, manipulate server behavior, or potentially escalate privileges, compromising the security and integrity of the affected WordPress site.

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable WANotifier plugin version (prior to 2.6) on your WordPress installation.

Additionally, detection can involve monitoring for suspicious POST requests to the endpoint `/wp-admin/admin-ajax.php` with the parameter `btn_style` containing path traversal sequences such as `../../../../../phpinfo`.

A proof of concept involves creating a file named `phpinfo.php` in the website root with the content `<?php phpinfo(); ?>` and then sending a crafted POST request to trigger the inclusion and execution of this file.

  • Use curl or similar tools to send a POST request to `/wp-admin/admin-ajax.php` with `btn_style=../../../../../phpinfo` and check if the phpinfo output is returned.
  • Example curl command: `curl -X POST -d "btn_style=../../../../../phpinfo" https://yourwordpresssite.com/wp-admin/admin-ajax.php --cookie "wordpress_logged_in=your_auth_cookie"`

Note that authentication as a subscriber-level user or higher is required to perform this test.

Mitigation Strategies

The immediate mitigation step is to update the WANotifier WordPress plugin to version 2.6 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict subscriber-level user access and monitor for suspicious activity involving the vulnerable plugin.

Additionally, consider implementing web application firewall (WAF) rules to block requests containing path traversal sequences targeting the vulnerable parameter.

Compliance Impact

The vulnerability allows authenticated users with subscriber-level access to include and execute arbitrary local PHP files on the server, potentially leading to unauthorized disclosure of sensitive information.

Such unauthorized access and potential data disclosure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-6228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart