CVE-2024-6228
Summary
by MITRE • 07/06/2026
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/06/2026
This vulnerability exists within the Notifications for Forms & WordPress Actions WordPress plugin version 2.5 and earlier, representing a critical server-side file inclusion flaw that enables authenticated attackers to execute arbitrary PHP code on affected systems. The security issue stems from insufficient input validation in the plugin's handling of user-supplied parameters that are subsequently incorporated into server-side file paths without proper sanitization or verification. Attackers with subscriber-level privileges or higher can exploit this weakness to include and execute local PHP files, effectively bypassing normal access controls and potentially gaining full system compromise.
The technical implementation of this vulnerability follows a classic path traversal and file inclusion pattern where user-controllable data flows directly into file system operations without adequate validation. When authenticated users submit requests containing malicious file paths or references, the plugin processes these inputs without proper sanitization mechanisms, allowing attackers to manipulate the file inclusion logic. This flaw aligns with CWE-98 and CWE-22 categories, specifically addressing improper input validation that leads to local file inclusion vulnerabilities within web applications. The vulnerability operates at the application layer and demonstrates how insufficient parameter validation can create dangerous attack vectors even within authenticated sessions.
The operational impact of this vulnerability extends beyond simple code execution capabilities as it provides attackers with persistent access to compromised systems through the WordPress installation. Once exploited, threat actors can leverage the compromised plugin to establish backdoors, modify content, steal sensitive data, or deploy additional malware payloads. The low privilege requirement for exploitation makes this particularly dangerous as it can be leveraged by users who normally have limited access to system resources. This vulnerability enables attackers to potentially escalate privileges beyond their initial access level and could facilitate broader compromise of the entire WordPress installation.
Mitigation strategies should focus on immediate plugin updates to version 2.6 or later, which contain the necessary input validation fixes for this vulnerability. Organizations should also implement network-level restrictions to limit access to WordPress admin interfaces and consider implementing web application firewalls that can detect and block suspicious file inclusion patterns. Regular security audits of WordPress plugins and themes remain essential for identifying similar vulnerabilities, while maintaining up-to-date backups ensures rapid recovery from potential exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1059.007 for scripting languages and T1566 for malicious file execution, highlighting its potential use in establishing persistence and executing unauthorized code within the target environment.