Cyber Resilience

CVE-2024-6460

CriticalPublic PoC

Published: 16 August 2024

Published
16 August 2024
Modified
27 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9122 99.7th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6460 is a critical-severity an unspecified weakness vulnerability in Tradedoubler Grow. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Grow by Tradedoubler WordPress plugin through version 2.0.21 is affected by a local file inclusion vulnerability that occurs via the component parameter. The flaw allows inclusion and execution of arbitrary PHP files present on the server, which can result in execution of any PHP code contained in those files. The issue carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers with network access can exploit the vulnerability without user interaction to read or execute files, achieving full compromise of confidentiality, integrity, and availability on the affected installation. The current EPSS score of 0.9122, with a recorded peak of 0.9206, indicates sustained exploitation interest.

The single referenced advisory at wpscan.com provides further technical detail on the issue but does not include mitigation guidance within the supplied information.

EU & UK References

Vulnerability details

The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code…

more

in those files.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tradedoubler
grow
≤ 2.0.22

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References