CVE-2024-6330
Published: 19 August 2024
Summary
CVE-2024-6330 is a critical-severity an unspecified weakness vulnerability in Geomywp Geo My Wordpress. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The GEO my WP WordPress plugin before version 4.5.0.2 contains a vulnerability that allows arbitrary file inclusion within PHP's execution context, resulting in remote code execution. The flaw affects the plugin component directly and carries a CVSS 3.1 score of 9.8 with a network attack vector, low complexity, and no required authentication or user interaction.
Unauthenticated remote attackers can exploit the issue to include and execute arbitrary files on the server, achieving full control over the affected WordPress installation including the ability to read, modify, or delete data and potentially pivot to other systems.
The referenced WPScan advisory at https://wpscan.com/vulnerability/95b532e0-1ffb-421e-b9c0-de03f89491d7/ identifies the affected versions and indicates that updating to 4.5.0.2 or later resolves the file inclusion flaw.
EPSS for the CVE remains at 0.4353 with no material increase from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47444
Vulnerability details
The GEO my WP WordPress plugin before 4.5.0.2 does not prevent unauthenticated attackers from including arbitrary files in PHP's execution context, which leads to Remote Code Execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.