The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2024-6228 affects the Notifications for Forms & WordPress Actions plugin (versions before 2.6), exposing WordPress sites to local file inclusion (LFI) attacks through improper input validation. An authenticated attacker with subscriber-level privileges can manipulate user-supplied values to construct arbitrary file paths, enabling the execution of malicious PHP code directly on the server. This vulnerability is particularly dangerous because it requires only basic authentication access—a privilege level often distributed to contributors and subscribers—making it accessible to a wide attack surface. WordPress sites using this plugin are at risk of complete server compromise, data exfiltration, and lateral movement within their infrastructure.
While CVE-2024-6228 currently maps to zero Casky skills due to missing CWE and MITRE ATT&CK classifications, practitioners leveraging Casky's 754 security skills and Claude's extended reasoning would detect this attack pattern through behaviors aligned with T1083 (File and Directory Discovery), T1059 (Command and Scripting Interpreter), and T1190 (Exploit Public-Facing Application). Security teams would observe suspicious file path construction in web server logs, unexpected PHP execution from template or configuration directories, and abnormal filesystem access patterns from the WordPress process. By analyzing authentication logs paired with subsequent file operations, Casky's AI-driven approach helps practitioners correlate low-privilege authentication events with malicious server-side includes, identifying compromise before data exfiltration occurs. Immediate patching to version 2.6+ and reviewing file access logs for unauthorized PHP execution are critical remediation steps.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2024-6228. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation