CVE-2024-5577: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in mcnardelli Where I Was, Where I Will Be
The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. This makes it possible for unauthenticated attackers to include and execute arbitrary files hosted on external servers, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. This requires allow_url_include to be set to true in order to exploit, which is not commonly enabled.
AI Analysis
Technical Summary
CVE-2024-5577 is a critical Remote File Inclusion vulnerability in the 'Where I Was, Where I Will Be' WordPress plugin (version ≤ 1.1.1). It arises from improper control of the filename used in an include/require statement in the /system/include/include_user.php file, specifically via the WIW_HEADER parameter. If the PHP setting allow_url_include is enabled, an unauthenticated attacker can supply a remote URL to include arbitrary PHP code, leading to remote code execution, access control bypass, and data disclosure. The vulnerability is classified under CWE-98 and has a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). No patch or official remediation has been disclosed yet, and the plugin is not a cloud service.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary PHP code on the affected server, potentially leading to full system compromise, bypass of access controls, and disclosure of sensitive information. The impact is rated critical with high confidentiality, integrity, and availability consequences. Exploitation requires the PHP allow_url_include directive to be enabled, which is uncommon by default.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should verify that the PHP configuration directive allow_url_include is disabled (which is the default and recommended setting) to prevent exploitation. Additionally, consider disabling or removing the vulnerable plugin if it is not essential. Monitor official vendor channels for updates or patches addressing this vulnerability.
CVE-2024-5577: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in mcnardelli Where I Was, Where I Will Be
Description
The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. This makes it possible for unauthenticated attackers to include and execute arbitrary files hosted on external servers, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. This requires allow_url_include to be set to true in order to exploit, which is not commonly enabled.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-5577 is a critical Remote File Inclusion vulnerability in the 'Where I Was, Where I Will Be' WordPress plugin (version ≤ 1.1.1). It arises from improper control of the filename used in an include/require statement in the /system/include/include_user.php file, specifically via the WIW_HEADER parameter. If the PHP setting allow_url_include is enabled, an unauthenticated attacker can supply a remote URL to include arbitrary PHP code, leading to remote code execution, access control bypass, and data disclosure. The vulnerability is classified under CWE-98 and has a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). No patch or official remediation has been disclosed yet, and the plugin is not a cloud service.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary PHP code on the affected server, potentially leading to full system compromise, bypass of access controls, and disclosure of sensitive information. The impact is rated critical with high confidentiality, integrity, and availability consequences. Exploitation requires the PHP allow_url_include directive to be enabled, which is uncommon by default.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should verify that the PHP configuration directive allow_url_include is disabled (which is the default and recommended setting) to prevent exploitation. Additionally, consider disabling or removing the vulnerable plugin if it is not essential. Monitor official vendor channels for updates or patches addressing this vulnerability.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-05-31T19:50:28.539Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6becb7ef31ef0b55c2ca
Added to database: 2/25/2026, 9:38:52 PM
Last enriched: 4/9/2026, 2:45:49 PM
Last updated: 4/11/2026, 10:14:56 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.