CVE-2024-7262

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-7262
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.wps.com/whatsnew/pc/20240422/ Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7262 US Government Resource
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:kingsoft:wps_office:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

30 Oct 2025, 20:12

Type Values Removed Values Added
References () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7262 - () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7262 - US Government Resource

21 Oct 2025, 23:16

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7262 -

21 Oct 2025, 20:20

Type Values Removed Values Added
References
  • {'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7262', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}

21 Oct 2025, 19:21

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7262 -

22 Aug 2024, 06:15

Type Values Removed Values Added
Summary (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 (inclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document

16 Aug 2024, 14:25

Type Values Removed Values Added
Summary
  • (es) La validación de ruta incorrecta en promecefpluginhost.exe en la versión Kingsoft WPS Office que va desde 12.2.0.13110 a 12.2.0.13489 (incluida) en Windows permite a un atacante cargar una librería arbitraria de Windows. La vulnerabilidad se encontró armada como un exploit de un solo clic en forma de un documento de hoja de cálculo engañoso.
CPE cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:kingsoft:wps_office:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
First Time Microsoft
Kingsoft wps Office
Microsoft windows
Kingsoft
References () https://www.wps.com/whatsnew/pc/20240422/ - () https://www.wps.com/whatsnew/pc/20240422/ - Vendor Advisory

16 Aug 2024, 08:15

Type Values Removed Values Added
Summary (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load an arbitrary Windows library. Using the MHTML format allows an attacker to automatically deliver a malicious library on opening the document and a single user click on a crafted hyperlink leads to the execution of the library. (en) Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 (inclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document

15 Aug 2024, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-15 15:15

Updated : 2025-10-30 20:12

NVD link : CVE-2024-7262

Mitre link : CVE-2024-7262

CVE.ORG link : CVE-2024-7262

JSON object : View

Products Affected

kingsoft

  • wps_office

microsoft

  • windows
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')