Cyber Resilience

CVE-2024-7094

CriticalRCE

Published: 13 August 2024

Published
13 August 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7196 98.8th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7094 is a critical-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The JS Help Desk – The Ultimate Help Desk & Support Plugin for WordPress contains a PHP code injection vulnerability that leads to remote code execution in all versions through 2.8.6. The flaw resides in the storeTheme function, which writes unsanitized user input directly into the style.php file while also omitting capability checks, and is tracked under CWE-94.

Unauthenticated attackers can reach the affected code over the network to inject and execute arbitrary PHP on the server, resulting in complete compromise of confidentiality, integrity, and availability. The CVSS 3.1 base score of 9.8 reflects the absence of authentication, user interaction, or other mitigating conditions required for exploitation.

The code injection vector was partially closed in 2.8.6, while missing authorization and cross-site request forgery protections were added in 2.8.7 to complete the fix; CVE-2024-43274 is noted as a likely duplicate. The current EPSS of 0.7196 matches its recorded peak. The vulnerable implementation appears in the plugin’s style.php, formhandler.php, controller.php, model.php, and admin_themes.php files.

EU & UK References

Vulnerability details

The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the 'storeTheme' function. This is…

more

due to a lack of sanitization on user-supplied values, which replace values in the style.php file, along with missing capability checks. This makes it possible for unauthenticated attackers to execute code on the server. This issue was partially patched in 2.8.6 when the code injection issue was resolved, and fully patched in 2.8.7 when the missing authorization and cross-site request forgery protection was added. CVE-2024-43274 is likely a duplicate of this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References