CVE-2024-32523 in Mailster Plugininfo

Summary

by MITRE • 05/17/2024

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EverPress Mailster mailster.This issue affects Mailster: from n/a through <= 4.0.6.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/02/2026

The CVE-2024-32523 vulnerability represents a critical improper control of filename for include/require statement in PHP programs, commonly categorized as PHP Remote File Inclusion or RFInclusion. This vulnerability exists within the EverPress Mailster plugin, specifically affecting versions from the initial release through version 4.0.6. The flaw stems from insufficient validation of user-supplied input that is used in dynamic include or require statements within the PHP codebase. When a web application fails to properly sanitize or validate file paths before including external files, it creates an opportunity for malicious actors to manipulate the inclusion process and potentially execute arbitrary code on the target server.

The technical implementation of this vulnerability occurs when user-controllable parameters are directly passed to PHP's include or require functions without proper input validation or sanitization. Attackers can exploit this by crafting malicious URLs or parameters that point to remote servers hosting malicious PHP code, which then gets executed on the vulnerable system. This type of vulnerability falls under CWE-98, which specifically addresses improper control of code generation capabilities, and aligns with ATT&CK technique T1505.003 for server-side include attacks. The vulnerability's impact is particularly severe because it can lead to complete system compromise, allowing attackers to execute arbitrary commands, access sensitive data, or establish persistent backdoors.

The operational impact of this vulnerability extends beyond simple code execution, as it can enable attackers to gain unauthorized access to the entire mail server infrastructure. In the context of Mailster, which is a popular WordPress mailing plugin, this vulnerability could allow attackers to compromise email campaigns, access user databases, or even use the compromised server for sending spam emails. The attack surface is significant because the vulnerable code is likely accessible through various user-facing interfaces or administrative functions within the plugin. This type of vulnerability is particularly dangerous in shared hosting environments where a compromised plugin could potentially affect other websites hosted on the same server.

Mitigation strategies for CVE-2024-32523 should include immediate patching of the Mailster plugin to version 4.0.7 or later, which contains the necessary fixes for the improper filename control issue. Organizations should also implement input validation measures to ensure that any user-supplied data used in include/require statements is properly sanitized and validated against a whitelist of allowed values. Network-level protections such as web application firewalls can help detect and block malicious requests attempting to exploit this vulnerability. Additionally, administrators should disable the ability to include remote files in PHP configurations and enforce strict file path validation throughout the application code. Regular security audits and monitoring of plugin updates are essential practices to prevent exploitation of similar vulnerabilities in the future, as this type of issue frequently appears in legacy codebases where proper input validation was not implemented during initial development phases.

Responsible

Patchstack

Reservation

04/15/2024

Disclosure

05/17/2024

Moderation

accepted

CPE

ready

EPSS

0.01754

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!