CVE-2024-6459
Published: 17 August 2024
Summary
CVE-2024-6459 is a critical-severity an unspecified weakness vulnerability in Webangon News Element. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The News Element Elementor Blog Magazine WordPress plugin before version 1.0.6 is affected by a local file inclusion vulnerability that occurs through the template parameter. The flaw permits an unauthenticated attacker to supply an arbitrary file path, resulting in the inclusion and execution of PHP files hosted on the server.
An attacker with no credentials or user interaction can reach the vulnerable endpoint over the network and execute arbitrary PHP code contained in files already present on the filesystem. Successful exploitation grants full control over the web application and underlying server, consistent with the CVSS 3.1 base score of 9.8.
The referenced WPScan advisory identifies the affected plugin versions and confirms that updating to 1.0.6 or later removes the vulnerable code path. The associated EPSS score has remained flat at 0.0580 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47555
Vulnerability details
The News Element Elementor Blog Magazine WordPress plugin before 1.0.6 is vulnerable to Local File Inclusion via the template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of…
more
any PHP code in those files.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.