CVE-2024-56264

Medium

Published: 02 January 2025

Published

02 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

EPSS Score 0.1382 94.3th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector acf-city-selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through <= 1.14.0.

Security Summary

CVE-2024-56264 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the Beee ACF City Selector WordPress plugin, known as acf-city-selector. This issue affects all versions from n/a through 1.14.0 and enables attackers to upload a web shell to the web server. The vulnerability received a CVSS v3.1 base score of 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, and impacts across confidentiality, integrity, and availability with a changed scope.

Exploitation requires high privileges (PR:H), typically administrative access to the WordPress site. An attacker with such privileges can upload dangerous files, such as web shells, directly to the web server, potentially leading to server-side code execution and limited compromise of the affected system.

The Patchstack advisory provides further details on this arbitrary file upload vulnerability in the ACF City Selector plugin version 1.14.0, available at https://patchstack.com/database/Wordpress/Plugin/acf-city-selector/vulnerability/wordpress-acf-city-selector-plugin-1-14-0-arbitrary-file-upload-vulnerability?_s_id=cve. Security practitioners should review it for recommended mitigations.

Details

CWE(s): CWE-434

References

https://patchstack.com/database/Wordpress/Plugin/acf-city-selector/vulnerability/wordpress-acf-city-selector-plugin-1-14-0-arbitrary-file-upload-vulnerability?_s_id=cve
audit@patchstack.com