cbcvebase.
CVE-2021-39312
published 2021-12-14

CVE-2021-39312: The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.43%
99.5th percentile
The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.

Affected

2 ranges
VendorProductVersion rangeFixed in
true_rankertrue_ranker2.2.2 – 2.2.2
truerankertrue_ranker<= 2.2.2

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php
path/scripts/simple.php/../../../../../../../../../../wp-config.php
commandsrc=%2Fscripts%2Fsimple.php%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php
sigma
matchers: words: ["DB_NAME", "DB_PASSWORD"] condition: and; status: 200
  • Detect unauthenticated POST requests to the vulnerable plugin path targeting the 'src' parameter with path traversal sequences
  • Look for 'src' POST parameter values containing '/scripts/simple.php/' followed by directory traversal (../) sequences, particularly targeting wp-config.php
  • Successful exploitation returns HTTP 200 with 'DB_NAME' and 'DB_PASSWORD' strings in the response body — monitor for these in web application firewall or proxy logs
  • The exploit is unauthenticated; no session cookie or nonce is required beyond the standard WordPress test cookie, making it trivially scriptable at scale
  • ·The vulnerability affects True Ranker plugin versions <= 2.2.2; version 2.2.4 is the fixed release — ensure detections are scoped to sites still running the vulnerable plugin version
  • ·The default exploit payload targets wp-config.php via 10 levels of directory traversal, but the 'src' parameter accepts arbitrary paths — detections should not be limited to wp-config.php alone

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.