Description
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.
Published: 2026-07-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin fails to validate a user‑supplied value before using it to construct a server‑side file inclusion path, permitting authenticated users with subscriber level or higher to include and execute arbitrary local PHP files on the host. This type of flaw, a local file inclusion, can lead to remote code execution.

Affected Systems

The vulnerability affects the Notifications for Forms & WordPress Actions WordPress plugin, versions earlier than 2.6, on any site that has users capable of attaining subscriber‑level access or higher.

Risk and Exploitability

With a CVSS score of 7.5 the flaw is classified as high severity, while an EPSS score below 1% indicates a low probability of zero‑day exploitation at present. The flaw is not listed in CISA KEV, but the presence of an authentication requirement means that compromised credentials could be leveraged for code execution once the server is accessed.

Generated by OpenCVE AI on July 6, 2026 at 17:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 2.6 or newer.
  • If an upgrade cannot be performed immediately, revoke or restrict subscriber‑level access to the site, or temporarily disable the plugin until a patch is available.
  • Check the site’s file system for any unintended local PHP files that could be included and remove or secure them, ensuring that the plugin’s directory contains only the necessary files.

Generated by OpenCVE AI on July 6, 2026 at 17:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
CWE-98

Mon, 06 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.
Title WANotifier < 2.6 - Subscriber+ LFI
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-06T12:09:45.862Z

Reserved: 2024-06-20T20:27:35.683Z

Link: CVE-2024-6228

cve-icon Vulnrichment

Updated: 2026-07-06T12:09:41.957Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:30:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')