CVE-2024-56264

Medium

Published: 02 January 2025

Published

02 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

EPSS Score 0.1382 94.3th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56264 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Shell (T1505.003). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the vulnerable ACF City Selector plugin versions through 1.14.0 to eliminate the unrestricted file upload capability.

SI-10 Information Input Validation good match

prevent

Information input validation directly counters the CWE-434 vulnerability by enforcing checks on file types and content during uploads in the plugin.

AC-6 Least Privilege partial match

prevent

Least privilege reduces the attack surface by limiting high-privilege (PR:H) administrative access needed to exploit the file upload functionality.

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unrestricted file upload (CWE-434) in the WordPress plugin directly enables deployment of web shells for server-side code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector acf-city-selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through <= 1.14.0.

Deeper analysisAI

CVE-2024-56264 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the Beee ACF City Selector WordPress plugin, known as acf-city-selector. This issue affects all versions from n/a through 1.14.0 and enables attackers to upload a web shell to the web server. The vulnerability received a CVSS v3.1 base score of 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, and impacts across confidentiality, integrity, and availability with a changed scope.

Exploitation requires high privileges (PR:H), typically administrative access to the WordPress site. An attacker with such privileges can upload dangerous files, such as web shells, directly to the web server, potentially leading to server-side code execution and limited compromise of the affected system.

The Patchstack advisory provides further details on this arbitrary file upload vulnerability in the ACF City Selector plugin version 1.14.0, available at https://patchstack.com/database/Wordpress/Plugin/acf-city-selector/vulnerability/wordpress-acf-city-selector-plugin-1-14-0-arbitrary-file-upload-vulnerability?_s_id=cve. Security practitioners should review it for recommended mitigations.

Details

CWE(s): CWE-434

CVEs Like This One

CVE-2024-56249Shared CWE-434

CVE-2026-4808Shared CWE-434

CVE-2026-22241Shared CWE-434

CVE-2025-23942Shared CWE-434

CVE-2024-55417Shared CWE-434

CVE-2020-36942Shared CWE-434

CVE-2024-57169Shared CWE-434

CVE-2023-53933Shared CWE-434

CVE-2025-68909Shared CWE-434

CVE-2021-47757Shared CWE-434

References

https://patchstack.com/database/Wordpress/Plugin/acf-city-selector/vulnerability/wordpress-acf-city-selector-plugin-1-14-0-arbitrary-file-upload-vulnerability?_s_id=cve
audit@patchstack.com