Cyber Resilience

CVE-2024-56278

CriticalRCE

Published: 07 January 2025

Published
07 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.5554 98.1th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56278 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is a code injection flaw, specifically PHP Remote File Inclusion, present in the WP Ultimate Exporter WordPress plugin developed by Smackcoders Inc. It stems from improper control over code generation and affects all versions through 2.9.1, carrying a CVSS 3.1 score of 9.1 that reflects network-accessible exploitation with low attack complexity.

An authenticated attacker holding high privileges can supply a remote file reference that the plugin includes and executes, resulting in full remote code execution on the server. Successful exploitation grants complete control over confidentiality, integrity, and availability with scope change to other components of the WordPress installation.

The issue is tracked in the Patchstack advisory, which identifies the affected plugin versions and points to remediation through an update that resolves the remote file inclusion vector. The associated EPSS score sits at 0.5554 with no subsequent rise, indicating sustained but not newly escalating exploitation interest since disclosure.

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders Inc., WP Ultimate Exporter wp-ultimate-exporter allows PHP Remote File Inclusion.This issue affects WP Ultimate Exporter: from n/a through <= 2.9.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

CVE enables RCE via PHP RFI/code injection in public-facing WP plugin (T1190); directly facilitates arbitrary command execution on server (T1059.004 Unix Shell) and web shell deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28134Shared CWE-94
CVE-2024-57487Shared CWE-94
CVE-2026-29955Shared CWE-94
CVE-2024-55964Shared CWE-94
CVE-2025-70995Shared CWE-94
CVE-2026-20045Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2026-3352Shared CWE-94
CVE-2026-30117Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2024-56278 by requiring identification, reporting, and correction of the code injection flaw in WP Ultimate Exporter plugin versions <=2.9.1.

prevent

Prevents PHP remote file inclusion in WP Ultimate Exporter by validating inputs to block malicious code injection (CWE-94).

detect

Detects the critical RFI vulnerability in WP Ultimate Exporter through periodic scanning of WordPress plugins for known CVEs like CVE-2024-56278.

References