Cyber Resilience

CVE-2024-49317

High

Published: 17 October 2024

Published
17 October 2024
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0558 90.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49317 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-49317 is a PHP Local File Inclusion vulnerability (CWE-98) present in the Point Maker WordPress plugin developed by ZIPANG. The flaw stems from improper control of filenames in include/require statements and affects all versions through 0.1.4.

An authenticated attacker with network access can exploit the issue under high attack complexity conditions, without user interaction, to include arbitrary local PHP files. Successful exploitation grants high impact on confidentiality, integrity, and availability, enabling the attacker to read sensitive files or execute code on the server.

The public advisory published by Patchstack details the vulnerability and is available at the referenced URL. The EPSS score has remained flat at 0.0558 with no observed increase after disclosure.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ZIPANG Point Maker point-maker allows PHP Local File Inclusion.This issue affects Point Maker: from n/a through <= 0.1.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References