Admin Word Count Column <= 2.2 – Unauthenticated Arbitrary File Read | CVE 2022-1390

Description

The plugin does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique

Proof of Concept

https://example.com/wp-content/plugins/admin-word-count-column/download-csv.php?path=/etc/passwd\0

Affects Plugins

admin-word-count-column

No known fix

References

CVE

CVE-2022-1390

Exploitdb

50845

URL

https://packetstormsecurity.com/files/#166476/

Classification

Type

TRAVERSAL

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

Hassan Khan Yusufzai - Splint3r7

Verified

Yes

WPVDB ID

6293b319-dc4f-4412-9d56-55744246c990

Timeline

Publicly Published

2022-03-27 (about 3 years ago)

Added

2022-03-29 (about 3 years ago)

Last Updated

2022-12-05 (about 3 years ago)

Other

Published

Title

Published

2022-09-06

Title

BackupBuddy < 8.7.5 - Unauthenticated Arbitrary File Access

Published

2017-10-20

Title

Multiple Plugins - jQueryFileTree - Unauthenticated Path Traversal

Published

2019-02-14

Title

WP Cost Estimation < 9.660 - Upload Directory Traversal

Published

2023-03-08

Title

Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.0 - Path Traversal

Published

2022-10-28

Title

Ultimate Member < 2.5.1 - Admin+ RCE