CVE-2024-6228 Overview
CVE-2024-6228 affects the Notifications for Forms & WordPress Actions WordPress plugin in versions before 2.6. The plugin fails to validate a user-supplied value before using it to build a server-side file inclusion path. Authenticated users with subscriber-level access or above can include and execute arbitrary local PHP files on the server. This Local File Inclusion (LFI) flaw enables attackers to run PHP code that already exists on disk, including uploaded content, log files, or bundled scripts. Successful exploitation can lead to information disclosure, privilege escalation, and full site compromise on affected WordPress installations.
Critical Impact
Any authenticated subscriber can trigger arbitrary local PHP file execution, breaking the confidentiality, integrity, and availability of the WordPress host.
Affected Products
- Notifications for Forms & WordPress Actions WordPress plugin versions prior to 2.6
- WordPress sites permitting subscriber-level registration with the vulnerable plugin active
- Any hosting environment running the affected plugin release
Discovery Timeline
- 2026-07-06 - CVE-2024-6228 published to NVD
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2024-6228
Vulnerability Analysis
The vulnerability is a Local File Inclusion (LFI) flaw in the Notifications for Forms & WordPress Actions plugin. The plugin constructs a file inclusion path from a value supplied through an authenticated request. It performs no validation or sanitization on that value before passing it to a PHP inclusion primitive. An attacker holding subscriber credentials, the lowest privilege tier in WordPress, can therefore reference arbitrary paths on the server. PHP then loads and executes the referenced file within the plugin's runtime context. Because WordPress runs plugins with the same privileges as the web application, executed code can read secrets, modify database contents, or invoke further payloads. The attack requires no user interaction beyond an authenticated HTTP request.
Root Cause
The root cause is missing input validation on a user-controlled parameter later used to build a server-side include path. The plugin does not restrict the value to an allow-list of expected templates or notification files. It also does not resolve and confine the final path to an approved directory. This category of defect is tracked as Local File Inclusion and typically aligns with CWE-98 or CWE-73.
Attack Vector
An attacker first obtains subscriber-level credentials, which many WordPress sites grant through open registration. The attacker then submits an authenticated request to the plugin endpoint responsible for handling notification actions. The malicious request supplies a path value pointing to a PHP file already present on the host, such as an uploaded image with embedded PHP or a bundled library. The plugin includes the file, and PHP executes any code it contains. Technical details are documented in the WPScan Vulnerability Advisory.
Detection Methods for CVE-2024-6228
Indicators of Compromise
- Requests to plugin AJAX or admin-post endpoints containing path traversal sequences such as ../ or absolute filesystem paths
- Unexpected PHP execution originating from wp-content/uploads/ or other writable directories
- New or modified PHP files in the WordPress installation without a corresponding administrator action
- Subscriber-role accounts issuing POST requests to plugin-controlled endpoints they would not normally use
Detection Strategies
- Review web server access logs for authenticated requests to the Notifications for Forms & WordPress Actions plugin that contain suspicious file, template, or path parameters
- Enable PHP open_basedir restrictions and alert on failures that indicate inclusion attempts outside allowed directories
- Deploy a web application firewall rule that inspects requests for LFI patterns such as ../, null bytes, and PHP wrapper prefixes
Monitoring Recommendations
- Monitor for creation of new subscriber accounts followed shortly by requests to plugin endpoints
- Track file integrity across the wp-content/plugins/ and wp-content/uploads/ directories
- Correlate PHP error logs with authenticated user sessions to surface failed inclusion attempts
How to Mitigate CVE-2024-6228
Immediate Actions Required
- Update the Notifications for Forms & WordPress Actions plugin to version 2.6 or later on every WordPress instance
- Audit user accounts and remove untrusted subscriber-level accounts created before patching
- Disable open user registration if it is not required for site functionality
- Rotate WordPress secrets, database credentials, and API keys if exploitation is suspected
Patch Information
The vendor addressed the vulnerability in version 2.6 of the plugin by validating the user-supplied value before using it in the file inclusion path. Administrators should upgrade through the WordPress plugin dashboard or by replacing the plugin files with the fixed release. Refer to the WPScan Vulnerability Advisory for advisory details.
Workarounds
- Deactivate the plugin until the site can be updated to version 2.6
- Restrict subscriber registration and require administrator approval for new accounts
- Apply a WAF ruleset that blocks LFI payloads targeting plugin endpoints
- Configure PHP open_basedir and disable_functions to constrain plugin file access
# Configuration example: restrict PHP file access via php.ini
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

