cbcvebase.
CVE-2022-0679
published 2022-03-28

CVE-2022-0679: The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
47.83%
98.7th percentile
The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.

Affected

1 ranges
VendorProductVersion rangeFixed in
narnoo_distributor_projectnarnoo_distributor<= 2.5.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=narnoo_distributor_lib_request&lib_path=/etc/passwd
othernarnoo_distributor_lib_request
  • Monitor POST requests to /wp-admin/admin-ajax.php containing the parameter 'action=narnoo_distributor_lib_request' — this is the vulnerable unauthenticated AJAX endpoint. The 'lib_path' parameter is passed directly to require(), enabling LFI/RCE.
  • Inspect HTTP request bodies for 'lib_path=' parameter containing path traversal sequences (e.g., /etc/passwd, ../../) in POST requests to admin-ajax.php.
  • Look for the X-Requested-With: XMLHttpRequest header combined with Content-Type: application/x-www-form-urlencoded in POST requests to admin-ajax.php as part of exploit fingerprinting.
  • Successful exploitation returns file contents (e.g., /etc/passwd) as JSON data in the HTTP response body. Alert on responses to admin-ajax.php containing patterns matching 'root:.*:0:0:'.
  • ·The vulnerability is exploitable by both unauthenticated and authenticated users, meaning no login or session token is required to trigger LFI/RCE.
  • ·RCE potential depends on the underlying system configuration (e.g., writable paths, PHP wrappers, log poisoning opportunities); LFI is confirmed but RCE is conditional.
  • ·Affected versions are up to and including 2.5.1; upgrade to 2.5.2 or later to remediate.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.