CVE-2024-6460

CRITICAL NUCLEI

Grow by Tradedoubler <2.0.21 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-6460. PoCs published by Boshe99, E1-Bot141, Nxploited. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2024-6460, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

Description

The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

Exploits (3)

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-6460

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2024-6460, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin 3DPrint Lite 1.9.1.4

No auth needed

Prerequisites: Vulnerable WordPress plugin installed · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec STUB

by E1-Bot141 · poc

https://github.com/E1-Bot141/CVE-2024-6460

View Code ZIP pw:eip

The repository contains only a README.md file with a usage description for an exploit script (CVE-2024-6460.py) targeting Grow by Tradedoubler < 2.0.22 for an unauthenticated LFI vulnerability. However, the actual exploit code is missing, making this a stub.

Classification

Stub 30%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Theoretical

Target: Grow by Tradedoubler < 2.0.22

No auth needed

Prerequisites: Target running Grow by Tradedoubler < 2.0.22

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Nxploited · poc

https://github.com/Nxploited/CVE-2024-6460

View Code ZIP pw:eip

This PoC exploits an LFI vulnerability in the Grow by Tradedoubler WordPress plugin (versions < 2.0.22) by leveraging an authenticated AJAX endpoint to read arbitrary files. It includes version checking and authentication handling.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Grow by Tradedoubler WordPress plugin < 2.0.22

Auth required

Prerequisites: WordPress credentials · Plugin version <= 2.0.21

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion

CRITICALby ritikchaddha

FOFA: body="wp-content/plugins/tradedoubler-affiliate-tracker/"

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/ba2f53e0-30be-4f37-91bc-5fa151f1eee7/

Scores

CVSS v3 9.8

EPSS 0.0483

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

Status published

Products (1)

tradedoubler/grow < 2.0.22

Published Aug 16, 2024

Tracked Since Feb 18, 2026