CVE-2021-39312
published 2021-12-14CVE-2021-39312: The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src…
PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.43%
99.5th percentile
The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| true_ranker | true_ranker | 2.2.2 – 2.2.2 | — |
| trueranker | true_ranker | <= 2.2.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsrc=%2Fscripts%2Fsimple.php%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php↗
sigma↗
matchers: words: ["DB_NAME", "DB_PASSWORD"] condition: and; status: 200
- →Detect unauthenticated POST requests to the vulnerable plugin path targeting the 'src' parameter with path traversal sequences ↗
- →Look for 'src' POST parameter values containing '/scripts/simple.php/' followed by directory traversal (../) sequences, particularly targeting wp-config.php ↗
- →Successful exploitation returns HTTP 200 with 'DB_NAME' and 'DB_PASSWORD' strings in the response body — monitor for these in web application firewall or proxy logs ↗
- →The exploit is unauthenticated; no session cookie or nonce is required beyond the standard WordPress test cookie, making it trivially scriptable at scale ↗
- ·The vulnerability affects True Ranker plugin versions <= 2.2.2; version 2.2.4 is the fixed release — ensure detections are scoped to sites still running the vulnerable plugin version ↗
- ·The default exploit payload targets wp-config.php via 10 levels of directory traversal, but the 'src' parameter accepts arbitrary paths — detections should not be limited to wp-config.php alone ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2mm8-gjg2-whmx: The True Ranker plugin <= 2
ghsa_unreviewed·2021-12-15
CVE-2021-39312 [HIGH] CWE-22 GHSA-2mm8-gjg2-whmx: The True Ranker plugin <= 2
The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.
VulnCheck
trueranker true_ranker Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 7.5
CVE-2021-39312 [HIGH] trueranker true_ranker Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
trueranker true_ranker Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.
Affected: trueranker true_ranker
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-06-03&host_type=src&vulnerability=cve-2021-39312; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-06-05&host_type=s
No detection rules found.
Exploit-DB
WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
exploitdb·2022-01-05·CVSS 7.5
CVE-2021-39312 [HIGH] WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
---
# Exploit Title: WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
# Date: 23/12/2021
# Exploit Authors: Nicole Sheinin, Liad Levy
# Vendor Homepage: https://wordpress.org/plugins/seo-local-rank/
# Software Link: https://plugins.svn.wordpress.org/seo-local-rank/tags/2.2.2/
# Version: versions <= 2.2.2
# Tested on: MacOS
# CVE: CVE-2021-39312
# Github repo:
#!/usr/bin/env python3
import argparse, textwrap
import requests
import sys
parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter)
group_must = parser.add_argument_group('must arguments')
group_must.add_argument("-u","--url", help
Nuclei
WordPress True Ranker <2.2.4 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-39312 [HIGH] WordPress True Ranker <2.2.4 - Local File Inclusion
WordPress True Ranker <2.2.4 - Local File Inclusion
WordPress True Ranker before version 2.2.4 allows sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file via local file inclusion.
Template:
id: CVE-2021-39312
info:
name: WordPress True Ranker <2.2.4 - Local File Inclusion
author: DhiyaneshDK
severity: high
description: WordPress True Ranker before version 2.2.4 allows sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file via local file inclusion.
impact: |
Unauthenticated attackers can read sensitive configuration files like wp-config.php via local file inclusion,
http://packetstormsecurity.com/files/165434/WordPress-The-True-Ranker-2.2.2-Arbitrary-File-Read.htmlhttps://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.phphttps://www.wordfence.com/vulnerability-advisories/#CVE-2021-39312http://packetstormsecurity.com/files/165434/WordPress-The-True-Ranker-2.2.2-Arbitrary-File-Read.htmlhttps://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.phphttps://www.wordfence.com/vulnerability-advisories/#CVE-2021-39312
2021-12-14
Published
Exploited in the wild