CVE-2024-6228 PUBLISHED

WANotifier < 2.6 - Subscriber+ LFI

Assigner: WPScan
Reserved: 20.06.2024 Published: 06.07.2026 Updated: 06.07.2026

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.

Product Status

Vendor Unknown
Product Notifications for Forms & WordPress Actions
Versions Default: unaffected
  • affected from 0 to 2.6 (excl.)

Credits

  • Project Black finder
  • WPScan coordinator

References

Problem Types

  • CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE