Code Injection Vulnerability in WP Ultimate Exporter by Smackcoders
CVE-2024-56278

9.1CRITICAL

Key Information:

Vendor: Smackcoders
Status: WP Ultimate Exporter
Vendor: CVE Published:; 7 January 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A significant code injection vulnerability has been identified in the WP Ultimate Exporter plugin developed by Smackcoders. This flaw allows for PHP Remote File Inclusion, potentially enabling unauthorized access and execution of malicious code on affected installations. Users of WP Ultimate Exporter, particularly versions from n/a through 2.9.1, are urged to review their security posture and apply the necessary updates to mitigate risks associated with this vulnerability.

Affected Version(s)

WP Ultimate Exporter <= 2.9.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-56278
Created by DoTTak

References

https://patchstack.com/database/wordpress/plugin/wp-ultim...

vdb-entry

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 7, 2025
🟡
Public PoC available
Jan 6, 2025
👾
Exploit known to exist
Jan 6, 2025
Vulnerability Reserved
Dec 18, 2024

Credit

Webula (Patchstack Alliance)