Executive Summary
The National Vulnerability Database has published CVE-2024-6228, a High severity local file inclusion (LFI) vulnerability affecting the WANotifier WordPress plugin — also marketed as "Notifications for Forms & WordPress Actions." The flaw allows any authenticated user with subscriber-level access or above to include and execute arbitrary PHP files on the server.
CVSS v3.1 Score: 7.5 (HIGH) — AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Overview
Root Cause
The plugin fails to validate a user-supplied parameter before using it to construct a server-side file inclusion path. When a subscriber triggers the notifier_preview_btn_style AJAX action, the btn_style parameter is passed directly into a file path without sanitization, enabling path traversal sequences to reach arbitrary files on the server's filesystem.
CWE Classification
- CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
Attack Chain
1. Attacker registers (or compromises) any WordPress account (subscriber or above)
2. Sends a crafted POST to wp-admin/admin-ajax.php
action=notifier_preview_btn_style
btn_style=../../../../../wp-config
3. PHP's include/require resolves the path traversal
4. Arbitrary PHP file from the server filesystem is included and executed
5. Attacker reads wp-config.php (DB credentials, secret keys) or executes uploaded shellsTechnical Details
Affected Endpoint
POST /wp-admin/admin-ajax.php
action=notifier_preview_btn_style
btn_style=../../../path/to/file
The btn_style parameter controls which PHP template file is included for rendering a button style preview. The plugin does not restrict traversal, allowing the inclusion of any file the web server process can read.
What an Attacker Can Access
| File | Content |
|---|---|
wp-config.php | Database credentials, secret keys, salts |
/etc/passwd | System user enumeration |
| PHP sessions | Active session tokens |
| Uploaded files | Previously uploaded web shells |
| Application config | API keys, SMTP credentials, third-party tokens |
Because the included file is executed as PHP, a previously uploaded PHP web shell becomes a full remote code execution vector once an attacker uses this LFI to trigger it.
Affected Versions
| Version | Status |
|---|---|
| WANotifier < 2.6 | Vulnerable |
| WANotifier 2.6+ | Patched |
Remediation
Update Immediately
Update the WANotifier plugin to version 2.6 or later via the WordPress admin dashboard:
Dashboard → Plugins → WANotifier → Update Now
Or via WP-CLI:
wp plugin update wa-notifierVerify Plugin Version
# Via WP-CLI
wp plugin get wa-notifier --fields=version,statusTemporary Mitigation (If Patch Cannot Be Applied)
Disable the plugin until it can be updated. There is no safe configuration workaround — the vulnerability is in the core file inclusion logic.
Detection
Server Log Indicators
Look for AJAX requests containing path traversal sequences:
grep "notifier_preview_btn_style" /var/log/apache2/access.log | grep "\.\."WAF Rule (ModSecurity)
SecRule ARGS:btn_style "@rx (\.\.\/|\.\.\\)" \
"id:20240622801,phase:2,deny,status:403,\
msg:'CVE-2024-6228 WANotifier LFI attempt'"
WordPress Audit Logging
If using a plugin like WP Activity Log or Wordfence, filter for:
- AJAX calls to
notifier_preview_btn_style - Any non-admin user triggering file preview actions
Risk Assessment
| Factor | Assessment |
|---|---|
| Authentication Required | Yes — subscriber level |
| User Interaction Required | None |
| Network Access | Remote |
| Exploit Complexity | High (requires path knowledge) |
| Impact | Full confidentiality, integrity, availability |
While the "High Complexity" rating somewhat lowers the base score, the subscriber-level access requirement is trivially satisfied on any WordPress site that allows user registration. On e-commerce sites, membership sites, or any platform where users can register, this is effectively an unauthenticated attack.