CVE-2022-0679
published 2022-03-28CVE-2022-0679: The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
47.83%
98.7th percentile
The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| narnoo_distributor_project | narnoo_distributor | <= 2.5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /wp-admin/admin-ajax.php containing the parameter 'action=narnoo_distributor_lib_request' — this is the vulnerable unauthenticated AJAX endpoint. The 'lib_path' parameter is passed directly to require(), enabling LFI/RCE. ↗
- →Inspect HTTP request bodies for 'lib_path=' parameter containing path traversal sequences (e.g., /etc/passwd, ../../) in POST requests to admin-ajax.php. ↗
- →Look for the X-Requested-With: XMLHttpRequest header combined with Content-Type: application/x-www-form-urlencoded in POST requests to admin-ajax.php as part of exploit fingerprinting. ↗
- →Successful exploitation returns file contents (e.g., /etc/passwd) as JSON data in the HTTP response body. Alert on responses to admin-ajax.php containing patterns matching 'root:.*:0:0:'. ↗
- ·The vulnerability is exploitable by both unauthenticated and authenticated users, meaning no login or session token is required to trigger LFI/RCE. ↗
- ·RCE potential depends on the underlying system configuration (e.g., writable paths, PHP wrappers, log poisoning opportunities); LFI is confirmed but RCE is conditional. ↗
- ·Affected versions are up to and including 2.5.1; upgrade to 2.5.2 or later to remediate.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vr55-fv2w-8fhh: The Narnoo Distributor WordPress plugin through 2
ghsa_unreviewed·2022-03-29
CVE-2022-0679 [CRITICAL] CWE-22 GHSA-vr55-fv2w-8fhh: The Narnoo Distributor WordPress plugin through 2
The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
VulnCheck
narnoo_distributor_project narnoo_distributor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 9.8
CVE-2022-0679 [CRITICAL] narnoo_distributor_project narnoo_distributor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
narnoo_distributor_project narnoo_distributor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
Affected: narnoo_distributor_project narnoo_distributor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remed
No detection rules found.
Nuclei
WordPress Narnoo Distributor <=2.5.1 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2022-0679 [CRITICAL] WordPress Narnoo Distributor <=2.5.1 - Local File Inclusion
WordPress Narnoo Distributor =2.5.2) to mitigate the LFI vulnerability.
reference:
- https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8
- https://nvd.nist.gov/vuln/detail/CVE-2022-0679
- https://github.com/cyllective/CVEs
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0679
cwe-id: CWE-22
epss-score: 0.84482
epss-percentile: 0.99331
cpe: cpe:2.3:a:narnoo_distributor_project:narnoo_distributor:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: narnoo_distributor_project
product: narnoo_distributor
framework: wordpress
tags: cve,cve2022,narnoo-distributor,wordpress,wp-plugin,wpscan,wp,rce,unauth,lfi,nar
2022-03-28
Published
Exploited in the wild