CVE-2024-56278
Published: 07 January 2025
Summary
CVE-2024-56278 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is a code injection flaw, specifically PHP Remote File Inclusion, present in the WP Ultimate Exporter WordPress plugin developed by Smackcoders Inc. It stems from improper control over code generation and affects all versions through 2.9.1, carrying a CVSS 3.1 score of 9.1 that reflects network-accessible exploitation with low attack complexity.
An authenticated attacker holding high privileges can supply a remote file reference that the plugin includes and executes, resulting in full remote code execution on the server. Successful exploitation grants complete control over confidentiality, integrity, and availability with scope change to other components of the WordPress installation.
The issue is tracked in the Patchstack advisory, which identifies the affected plugin versions and points to remediation through an update that resolves the remote file inclusion vector. The associated EPSS score sits at 0.5554 with no subsequent rise, indicating sustained but not newly escalating exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53075
Vulnerability details
Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders Inc., WP Ultimate Exporter wp-ultimate-exporter allows PHP Remote File Inclusion.This issue affects WP Ultimate Exporter: from n/a through <= 2.9.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables RCE via PHP RFI/code injection in public-facing WP plugin (T1190); directly facilitates arbitrary command execution on server (T1059.004 Unix Shell) and web shell deployment (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2024-56278 by requiring identification, reporting, and correction of the code injection flaw in WP Ultimate Exporter plugin versions <=2.9.1.
Prevents PHP remote file inclusion in WP Ultimate Exporter by validating inputs to block malicious code injection (CWE-94).
Detects the critical RFI vulnerability in WP Ultimate Exporter through periodic scanning of WordPress plugins for known CVEs like CVE-2024-56278.