WP Ultimate Exporter < 2.9.2 – Authenticated (Admin+) Remote Code Execution | CVE 2024-56278

Affects Plugins

wp-ultimate-exporter

Fixed in 2.9.2

References

CVE

CVE-2024-56278

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4fd929e7-8f28-43de-92ce-4f52ece24f7c

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

4.1 (medium)

Miscellaneous

Original Researcher

Webula

Verified

No

WPVDB ID

96777e49-9c81-432c-a20a-45d2cbfc8722

Timeline

Publicly Published

2025-01-03 (about 1 year ago)

Added

2025-01-08 (about 1 year ago)

Last Updated

2025-01-08 (about 1 year ago)

Other

Published

Title

Published

2015-10-23

Title

Form Manager <= 1.7.2 - Authenticated Remote Command Execution (RCE)

Published

2025-09-03

Title

atec Debug < 1.2.23 - Authenticated (Administrator+) Remote Code Execution

Published

2018-09-05

Title

Duplicator < 1.2.42 - Unauthenticated Arbitrary Code Execution

Published

2026-04-03

Title

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress < 4.16.12 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields

Published

2025-02-11

Title

Global Gallery - WordPress Responsive Gallery < 9.1.6 - Authenticated (Subscriber+) Arbitrary Shortcode Execution