CVE-2024-6330

CRITICAL

WordPress GEO my WP < 4.5.0.2 - PHP File Inclusion Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-6330. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-6330, an unauthenticated Local File Inclusion (LFI) vulnerability in the GEO my WordPress plugin. The exploit leverages a PHP filter chain to achieve arbitrary command execution via the 'form[info_window_template][content_path]' parameter.

Description

The GEO my WP WordPress plugin before 4.5.0.2 does not prevent unauthenticated attackers from including arbitrary files in PHP's execution context, which leads to Remote Code Execution.

Exploits (1)

nomisec WORKING POC
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2024-6330

This repository contains a functional exploit for CVE-2024-6330, an unauthenticated Local File Inclusion (LFI) vulnerability in the GEO my WordPress plugin. The exploit leverages a PHP filter chain to achieve arbitrary command execution via the 'form[info_window_template][content_path]' parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GEO my WordPress plugin <= 4.5.0.1
No auth needed
Prerequisites: Target must have the vulnerable GEO my WordPress plugin installed and active · Ability to send HTTP requests to the target WordPress site
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/95b532e0-1ffb-421e-b9c0-de03f89491d7/

Scores

CVSS v3 9.8
EPSS 0.0214
EPSS Percentile 79.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (1)
geomywp/geo_my_wordpress < 4.5.0.2
Published Aug 19, 2024
Tracked Since Feb 18, 2026