CVE-2024-50434 in NewsCard Plugininfo

Summary

by MITRE • 10/28/2024

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse NewsCard newscard.This issue affects NewsCard: from n/a through <= 1.3.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/06/2026

This vulnerability represents a critical improper control of filename for include/require statements in PHP applications, commonly categorized as PHP Remote File Inclusion or RFIs. The flaw exists within the themehorse NewsCard plugin where user-supplied input is directly incorporated into include or require statements without proper validation or sanitization. This creates an avenue for remote attackers to execute arbitrary code on the target system by manipulating the filename parameter used in PHP's include/require functions. The vulnerability specifically impacts versions of the NewsCard plugin from an unspecified starting point through version 1.3, indicating that older versions may not be affected but the exact vulnerable range requires further investigation.

The technical implementation of this vulnerability stems from the plugin's failure to properly validate or sanitize user input before using it in dynamic include statements. When a PHP application uses functions like include(), require(), include_once(), or require_once() with user-controllable variables, it opens the door for attackers to inject malicious file paths. In this case, the vulnerability manifests when the plugin accepts filename parameters through user input and directly incorporates them into PHP include statements without proper input validation or sanitization. This allows attackers to specify arbitrary file paths that could point to remote malicious files hosted on attacker-controlled servers, enabling remote code execution capabilities.

The operational impact of this vulnerability is severe as it can lead to complete system compromise when exploited successfully. An attacker who successfully exploits this vulnerability can execute arbitrary code on the target server with the privileges of the web application. This could result in data theft, system takeover, lateral movement within the network, and potential persistence mechanisms. The vulnerability affects WordPress installations using the affected NewsCard plugin, making it particularly dangerous in environments where WordPress is widely deployed. Attackers could leverage this vulnerability to gain unauthorized access to sensitive data, install backdoors, or use the compromised system as a launching point for further attacks against the broader network infrastructure.

The vulnerability aligns with CWE-98, which describes improper control of filename for include/require statements, and represents a common pattern in web application security flaws. From an attack perspective, this vulnerability maps to ATT&CK technique T1190, which covers exploiting vulnerabilities in web applications, and T1059, which involves executing commands through the command and scripting interpreter. The exploitation typically involves crafting malicious URLs or request parameters that include the target server's IP address or domain name along with a malicious PHP script hosted on an attacker-controlled server. Mitigation strategies should include immediate patching of the affected plugin to version 1.4 or later, implementing proper input validation and sanitization, disabling remote file inclusion in PHP configuration, and monitoring for suspicious include/require operations in web server logs. Additionally, network-based intrusion detection systems should be configured to detect patterns associated with RFI attacks, and regular security audits should be performed to identify similar vulnerabilities in other plugins or themes.

Responsible

Patchstack

Reservation

10/24/2024

Disclosure

10/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00443

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!