Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2024-6228: WordPress WANotifier Plugin Local File Inclusion
CVE-2024-6228: WordPress WANotifier Plugin Local File Inclusion
SECURITYHIGHCVE-2024-6228

CVE-2024-6228: WordPress WANotifier Plugin Local File Inclusion

A local file inclusion vulnerability in the WANotifier WordPress plugin (before v2.6) allows any authenticated subscriber-level user to include and execute arbitrary PHP files on the server, potentially exposing credentials and enabling full site takeover.

Dylan H.

Security Team

July 6, 2026
4 min read

Affected Products

  • WANotifier (Notifications for Forms & WordPress Actions) < 2.6
  • WordPress sites with any registered users

Executive Summary

The National Vulnerability Database has published CVE-2024-6228, a High severity local file inclusion (LFI) vulnerability affecting the WANotifier WordPress plugin — also marketed as "Notifications for Forms & WordPress Actions." The flaw allows any authenticated user with subscriber-level access or above to include and execute arbitrary PHP files on the server.

CVSS v3.1 Score: 7.5 (HIGH) — AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H


Vulnerability Overview

Root Cause

The plugin fails to validate a user-supplied parameter before using it to construct a server-side file inclusion path. When a subscriber triggers the notifier_preview_btn_style AJAX action, the btn_style parameter is passed directly into a file path without sanitization, enabling path traversal sequences to reach arbitrary files on the server's filesystem.

CWE Classification

  • CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Attack Chain

1. Attacker registers (or compromises) any WordPress account (subscriber or above)
2. Sends a crafted POST to wp-admin/admin-ajax.php
   action=notifier_preview_btn_style
   btn_style=../../../../../wp-config
3. PHP's include/require resolves the path traversal
4. Arbitrary PHP file from the server filesystem is included and executed
5. Attacker reads wp-config.php (DB credentials, secret keys) or executes uploaded shells

Technical Details

Affected Endpoint

POST /wp-admin/admin-ajax.php
action=notifier_preview_btn_style
btn_style=../../../path/to/file

The btn_style parameter controls which PHP template file is included for rendering a button style preview. The plugin does not restrict traversal, allowing the inclusion of any file the web server process can read.

What an Attacker Can Access

FileContent
wp-config.phpDatabase credentials, secret keys, salts
/etc/passwdSystem user enumeration
PHP sessionsActive session tokens
Uploaded filesPreviously uploaded web shells
Application configAPI keys, SMTP credentials, third-party tokens

Because the included file is executed as PHP, a previously uploaded PHP web shell becomes a full remote code execution vector once an attacker uses this LFI to trigger it.

Affected Versions

VersionStatus
WANotifier < 2.6Vulnerable
WANotifier 2.6+Patched

Remediation

Update Immediately

Update the WANotifier plugin to version 2.6 or later via the WordPress admin dashboard:

Dashboard → Plugins → WANotifier → Update Now

Or via WP-CLI:

wp plugin update wa-notifier

Verify Plugin Version

# Via WP-CLI
wp plugin get wa-notifier --fields=version,status

Temporary Mitigation (If Patch Cannot Be Applied)

Disable the plugin until it can be updated. There is no safe configuration workaround — the vulnerability is in the core file inclusion logic.


Detection

Server Log Indicators

Look for AJAX requests containing path traversal sequences:

grep "notifier_preview_btn_style" /var/log/apache2/access.log | grep "\.\."

WAF Rule (ModSecurity)

SecRule ARGS:btn_style "@rx (\.\.\/|\.\.\\)" \
    "id:20240622801,phase:2,deny,status:403,\
    msg:'CVE-2024-6228 WANotifier LFI attempt'"

WordPress Audit Logging

If using a plugin like WP Activity Log or Wordfence, filter for:

  • AJAX calls to notifier_preview_btn_style
  • Any non-admin user triggering file preview actions

Risk Assessment

FactorAssessment
Authentication RequiredYes — subscriber level
User Interaction RequiredNone
Network AccessRemote
Exploit ComplexityHigh (requires path knowledge)
ImpactFull confidentiality, integrity, availability

While the "High Complexity" rating somewhat lowers the base score, the subscriber-level access requirement is trivially satisfied on any WordPress site that allows user registration. On e-commerce sites, membership sites, or any platform where users can register, this is effectively an unauthenticated attack.


References

  • NVD — CVE-2024-6228
  • WPScan Vulnerability Database
  • WANotifier Plugin (WordPress.org)

Related Advisories

  • BeyondTrust Remote Support Pre-Authentication RCE
  • Apache Struts Critical RCE via OGNL Injection Returns
#CVE#WordPress#Local File Inclusion#PHP#Web Application

Related Articles

CVE-2018-25362: Twitter-Clone SQL Injection via follow.php

Twitter-Clone 1 contains a high-severity SQL injection vulnerability in follow.php that allows attackers to extract sensitive database information through.

4 min read

CVE-2026-39918: Vvveb CMS Unauthenticated PHP Code

Vvveb CMS versions prior to 1.0.8.1 allow unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's unsanitized subdir...

4 min read

CVE-2026-14635: Unrestricted File Upload RCE in CodeIgniter Ecommerce Bootstrap

A high-severity unrestricted file upload vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows authenticated vendor users to upload arbitrary PHP files, enabling remote code execution on the hosting server.

3 min read
Back to all Security Alerts