Skip to main content
CVE Vulnerability Database

CVE-2024-6228: WordPress Plugin Path Traversal Flaw

CVE-2024-6228 is a path traversal vulnerability in the Notifications for Forms & WordPress Actions plugin that allows authenticated users to execute arbitrary PHP files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-6228 Overview

CVE-2024-6228 affects the Notifications for Forms & WordPress Actions WordPress plugin in versions before 2.6. The plugin fails to validate a user-supplied value before using it to build a server-side file inclusion path. Authenticated users with subscriber-level access or above can include and execute arbitrary local PHP files on the server. This Local File Inclusion (LFI) flaw enables attackers to run PHP code that already exists on disk, including uploaded content, log files, or bundled scripts. Successful exploitation can lead to information disclosure, privilege escalation, and full site compromise on affected WordPress installations.

Critical Impact

Any authenticated subscriber can trigger arbitrary local PHP file execution, breaking the confidentiality, integrity, and availability of the WordPress host.

Affected Products

  • Notifications for Forms & WordPress Actions WordPress plugin versions prior to 2.6
  • WordPress sites permitting subscriber-level registration with the vulnerable plugin active
  • Any hosting environment running the affected plugin release

Discovery Timeline

  • 2026-07-06 - CVE-2024-6228 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2024-6228

Vulnerability Analysis

The vulnerability is a Local File Inclusion (LFI) flaw in the Notifications for Forms & WordPress Actions plugin. The plugin constructs a file inclusion path from a value supplied through an authenticated request. It performs no validation or sanitization on that value before passing it to a PHP inclusion primitive. An attacker holding subscriber credentials, the lowest privilege tier in WordPress, can therefore reference arbitrary paths on the server. PHP then loads and executes the referenced file within the plugin's runtime context. Because WordPress runs plugins with the same privileges as the web application, executed code can read secrets, modify database contents, or invoke further payloads. The attack requires no user interaction beyond an authenticated HTTP request.

Root Cause

The root cause is missing input validation on a user-controlled parameter later used to build a server-side include path. The plugin does not restrict the value to an allow-list of expected templates or notification files. It also does not resolve and confine the final path to an approved directory. This category of defect is tracked as Local File Inclusion and typically aligns with CWE-98 or CWE-73.

Attack Vector

An attacker first obtains subscriber-level credentials, which many WordPress sites grant through open registration. The attacker then submits an authenticated request to the plugin endpoint responsible for handling notification actions. The malicious request supplies a path value pointing to a PHP file already present on the host, such as an uploaded image with embedded PHP or a bundled library. The plugin includes the file, and PHP executes any code it contains. Technical details are documented in the WPScan Vulnerability Advisory.

Detection Methods for CVE-2024-6228

Indicators of Compromise

  • Requests to plugin AJAX or admin-post endpoints containing path traversal sequences such as ../ or absolute filesystem paths
  • Unexpected PHP execution originating from wp-content/uploads/ or other writable directories
  • New or modified PHP files in the WordPress installation without a corresponding administrator action
  • Subscriber-role accounts issuing POST requests to plugin-controlled endpoints they would not normally use

Detection Strategies

  • Review web server access logs for authenticated requests to the Notifications for Forms & WordPress Actions plugin that contain suspicious file, template, or path parameters
  • Enable PHP open_basedir restrictions and alert on failures that indicate inclusion attempts outside allowed directories
  • Deploy a web application firewall rule that inspects requests for LFI patterns such as ../, null bytes, and PHP wrapper prefixes

Monitoring Recommendations

  • Monitor for creation of new subscriber accounts followed shortly by requests to plugin endpoints
  • Track file integrity across the wp-content/plugins/ and wp-content/uploads/ directories
  • Correlate PHP error logs with authenticated user sessions to surface failed inclusion attempts

How to Mitigate CVE-2024-6228

Immediate Actions Required

  • Update the Notifications for Forms & WordPress Actions plugin to version 2.6 or later on every WordPress instance
  • Audit user accounts and remove untrusted subscriber-level accounts created before patching
  • Disable open user registration if it is not required for site functionality
  • Rotate WordPress secrets, database credentials, and API keys if exploitation is suspected

Patch Information

The vendor addressed the vulnerability in version 2.6 of the plugin by validating the user-supplied value before using it in the file inclusion path. Administrators should upgrade through the WordPress plugin dashboard or by replacing the plugin files with the fixed release. Refer to the WPScan Vulnerability Advisory for advisory details.

Workarounds

  • Deactivate the plugin until the site can be updated to version 2.6
  • Restrict subscriber registration and require administrator approval for new accounts
  • Apply a WAF ruleset that blocks LFI payloads targeting plugin endpoints
  • Configure PHP open_basedir and disable_functions to constrain plugin file access
bash
# Configuration example: restrict PHP file access via php.ini
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.