CVE-2024-7262 CRITICAL

CVE-2024-7262: Arbitrary Code Execution in WPS Office

Vendor Kingsoft
Product WPS Office
Weakness CWE-22 · Path traversal
KEV Status Known Exploited
Published August 15, 2024
Last update October 21, 2025

CVSS base score

9.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/RE:L

What the vulnerability does

01Description

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

August 15, 2024 CVE published
October 21, 2025 Record updated