Cyber Resilience

CVE-2024-6459

CriticalPublic PoC

Published: 17 August 2024

Published
17 August 2024
Modified
27 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0580 90.7th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6459 is a critical-severity an unspecified weakness vulnerability in Webangon News Element. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The News Element Elementor Blog Magazine WordPress plugin before version 1.0.6 is affected by a local file inclusion vulnerability that occurs through the template parameter. The flaw permits an unauthenticated attacker to supply an arbitrary file path, resulting in the inclusion and execution of PHP files hosted on the server.

An attacker with no credentials or user interaction can reach the vulnerable endpoint over the network and execute arbitrary PHP code contained in files already present on the filesystem. Successful exploitation grants full control over the web application and underlying server, consistent with the CVSS 3.1 base score of 9.8.

The referenced WPScan advisory identifies the affected plugin versions and confirms that updating to 1.0.6 or later removes the vulnerable code path. The associated EPSS score has remained flat at 0.0580 with no material increase since disclosure.

EU & UK References

Vulnerability details

The News Element Elementor Blog Magazine WordPress plugin before 1.0.6 is vulnerable to Local File Inclusion via the template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of…

more

any PHP code in those files.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

webangon
news element
≤ 1.0.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References