CVE-2024-56264 in ACF City Selector Plugin
Summary
by MITRE • 01/02/2025
Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through 1.14.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/02/2025
The vulnerability identified as CVE-2024-56264 represents a critical security flaw in the Beee ACF City Selector plugin that exposes systems to remote code execution through unrestricted file uploads. This weakness allows attackers to bypass normal file validation mechanisms and upload malicious files directly to the web server, creating a severe attack surface that can be exploited for complete system compromise. The vulnerability exists within the plugin's file upload functionality where proper input sanitization and file type validation are either absent or insufficiently implemented.
The technical nature of this flaw aligns with CWE-434, which specifically addresses the unrestricted upload of files with dangerous types. This classification indicates that the plugin fails to properly validate file extensions, MIME types, or file contents before allowing uploads to proceed. The vulnerability affects all versions of the ACF City Selector plugin from the initial release through version 1.14.0, suggesting a persistent issue that has not been adequately addressed in the software lifecycle. Attackers can exploit this weakness by uploading web shell files that can execute arbitrary code on the target server, effectively granting them full administrative control over the compromised system.
The operational impact of CVE-2024-56264 extends beyond simple data theft or service disruption. When an attacker successfully uploads a web shell, they gain persistent access to the compromised server, enabling them to establish backdoors, exfiltrate sensitive data, deploy additional malware, or use the system as a launchpad for further attacks within the network. This vulnerability particularly affects WordPress environments where the ACF City Selector plugin is installed, making it a prime target for automated scanning tools that specifically look for known vulnerabilities in popular plugins. The attack vector typically involves exploiting the plugin's administrative upload interface or any front-end upload functionality that lacks proper access controls and validation mechanisms.
Mitigation strategies for this vulnerability require immediate action including patching the affected plugin to version 1.14.1 or later where the file upload restrictions have been properly implemented. Organizations should also implement additional security measures such as restricting file upload capabilities to authenticated administrators only, implementing strict file type validation with allowlists rather than denylists, and configuring web server-level restrictions to prevent execution of uploaded files in web-accessible directories. The ATT&CK framework categorizes this type of vulnerability under T1190 - Exploit Public-Facing Application, and T1059 - Command and Scripting Interpreter, as attackers leverage the uploaded web shell to execute commands and maintain persistence. Regular security audits of installed plugins and themes, combined with automated vulnerability scanning tools, can help identify similar issues before they can be exploited by malicious actors.