Cyber Resilience

CVE-2024-56264

Medium

Published: 02 January 2025

Published
02 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.1767 95.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56264 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2024-56264 is an unrestricted upload of a file with dangerous type, tracked as CWE-434, in the Beee ACF City Selector WordPress plugin. It affects all versions through 1.14.0 and permits an attacker to upload a web shell to the server. The issue carries a CVSS 3.1 score of 6.6 with network attack vector, low complexity, and high privileges required.

An authenticated user with administrative privileges can exploit the flaw remotely to upload arbitrary files, including executable web shells, resulting in limited impacts to confidentiality, integrity, and availability on the affected server with scope changed to other components.

The Patchstack advisory at the referenced URL documents the arbitrary file upload vulnerability and is the primary public source tracking the issue for WordPress site operators.

The associated EPSS score currently stands at 0.1767 after reaching a peak of 0.1880, reflecting moderate and relatively stable exploitation probability since disclosure.

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector acf-city-selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through <= 1.14.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload (CWE-434) in the WordPress plugin directly enables deployment of web shells for server-side code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22241Shared CWE-434
CVE-2025-23942Shared CWE-434
CVE-2026-4808Shared CWE-434
CVE-2021-35485Shared CWE-434
CVE-2024-56249Shared CWE-434
CVE-2024-55417Shared CWE-434
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the vulnerable ACF City Selector plugin versions through 1.14.0 to eliminate the unrestricted file upload capability.

prevent

Information input validation directly counters the CWE-434 vulnerability by enforcing checks on file types and content during uploads in the plugin.

prevent

Least privilege reduces the attack surface by limiting high-privilege (PR:H) administrative access needed to exploit the file upload functionality.

References