CVE-2024-56264 is a security vulnerability identified in the Beee ACF City Selector plugin, a WordPress plugin used to enhance city selection functionality in forms. The vulnerability is classified as an 'Unrestricted Upload of File with Dangerous Type,' meaning the plugin fails to properly restrict or validate the types of files that users can upload. This weakness allows attackers to upload malicious files, such as web shells, directly to the web server hosting the WordPress site. Once a web shell is uploaded, an attacker can execute arbitrary commands, potentially gaining full control over the server environment. The affected versions include all releases up to and including version 1.14.0. The vulnerability does not require authentication or user interaction, making it easier for remote attackers to exploit. Despite no current public exploits, the risk is significant due to the nature of the vulnerability. The absence of a CVSS score suggests that the vulnerability was recently disclosed and not yet fully assessed. The unrestricted file upload flaw typically arises from insufficient input validation and lack of proper file type restrictions in the upload handling code of the plugin. This vulnerability can be exploited remotely via HTTP requests that submit malicious files to the upload endpoint of the plugin, bypassing any intended security controls. The plugin’s widespread use in WordPress sites that rely on advanced custom fields for city selection increases the attack surface. The vulnerability was published on January 2, 2025, and assigned by Patchstack, a known security entity specializing in WordPress vulnerabilities.

The impact of CVE-2024-56264 is severe for organizations using the Beee ACF City Selector plugin. Successful exploitation allows attackers to upload web shells, leading to remote code execution, full server compromise, data theft, defacement, or pivoting to other internal systems. This can result in loss of confidentiality, integrity, and availability of the affected web server and its hosted applications. Organizations may face service disruptions, reputational damage, regulatory penalties, and financial losses. Since WordPress powers a significant portion of the web, and plugins like ACF City Selector are used globally, the scope of affected systems is broad. The ease of exploitation without authentication or user interaction further elevates the threat level. Attackers can automate exploitation attempts, increasing the likelihood of widespread compromise. The vulnerability also poses risks to hosting providers and managed WordPress service providers who host multiple client sites using the vulnerable plugin. Without timely mitigation, attackers could leverage this vulnerability to establish persistent access, launch further attacks, or use compromised servers for malicious activities such as spam or distributed denial-of-service (DDoS) attacks.

To mitigate CVE-2024-56264, organizations should immediately update the Beee ACF City Selector plugin to a patched version once available. Until a patch is released, implement strict web application firewall (WAF) rules to block file uploads containing executable or script file extensions (e.g., .php, .jsp, .asp). Restrict upload directories to prevent execution of uploaded files by disabling script execution permissions (e.g., via .htaccess or server configuration). Employ input validation and file type verification on the server side to allow only safe file types such as images or documents. Monitor web server logs for suspicious upload attempts or unusual file creation activities. Use intrusion detection/prevention systems (IDS/IPS) to detect and block exploitation attempts. Limit plugin usage to trusted users and restrict access to upload functionality where possible. Regularly audit and scan WordPress installations for vulnerable plugins and unauthorized files. Consider isolating WordPress instances in containerized or sandboxed environments to reduce impact. Backup websites and databases frequently to enable rapid recovery in case of compromise. Engage with the plugin vendor or security community for updates and advisories.