Cyber Posture

CVE-2024-56278

CriticalRCE

Published: 07 January 2025

Published
07 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4915 97.8th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56278 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2024-56278 by requiring identification, reporting, and correction of the code injection flaw in WP Ultimate Exporter plugin versions <=2.9.1.

SI-10 Information Input Validation good match
prevent

Prevents PHP remote file inclusion in WP Ultimate Exporter by validating inputs to block malicious code injection (CWE-94).

RA-5 Vulnerability Monitoring and Scanning good match
detect

Detects the critical RFI vulnerability in WP Ultimate Exporter through periodic scanning of WordPress plugins for known CVEs like CVE-2024-56278.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

CVE enables RCE via PHP RFI/code injection in public-facing WP plugin (T1190); directly facilitates arbitrary command execution on server (T1059.004 Unix Shell) and web shell deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders Inc., WP Ultimate Exporter wp-ultimate-exporter allows PHP Remote File Inclusion.This issue affects WP Ultimate Exporter: from n/a through <= 2.9.1.

Deeper analysisAI

CVE-2024-56278 is an Improper Control of Generation of Code ('Code Injection') vulnerability in the WP Ultimate Exporter plugin (wp-ultimate-exporter) developed by Smackcoders Inc., which allows PHP Remote File Inclusion. The issue affects all versions of the plugin from n/a through 2.9.1 inclusive. It is classified under CWE-94 and carries a CVSS v3.1 base score of 9.1 (Critical).

The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H), such as those of an authenticated administrator, and no user interaction (UI:N). Exploitation results in a scope change (S:C) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), enabling remote code execution via PHP remote file inclusion.

Patchstack has published an advisory on this remote code execution vulnerability specifically in WP Ultimate Exporter version 2.9.1, available at https://patchstack.com/database/Wordpress/Plugin/wp-ultimate-exporter/vulnerability/wordpress-wp-ultimate-exporter-plugin-2-9-1-remote-code-execution-rce-vulnerability?_s_id=cve. Security practitioners should consult this and any vendor guidance for mitigation recommendations.

Details

CWE(s)
CWE-94

CVEs Like This One

CVE-2026-28134Shared CWE-94
CVE-2026-25001Shared CWE-94
CVE-2024-39148Shared CWE-94
CVE-2026-3120Shared CWE-94
CVE-2025-22905Shared CWE-94
CVE-2026-29955Shared CWE-94
CVE-2025-66224Shared CWE-94
CVE-2026-26699Shared CWE-94
CVE-2026-2296Shared CWE-94
CVE-2024-55964Shared CWE-94

References