cbcvebase.
CVE-2022-1390
published 2022-04-25

CVE-2022-1390: The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.13%
97.4th percentile
The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique

Affected

3 ranges
VendorProductVersion rangeFixed in
admin_word_count_column_projectadmin_word_count_column<= 2.2
fortinetfortinac
fortinetfortinac-f

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0
path/wp-content/plugins/admin-word-count-column/download-csv.php
  • Look for unauthenticated GET requests to download-csv.php with a 'path' parameter containing directory traversal sequences (../../../../) and a null byte (\0) to bypass file extension checks on old PHP versions.
  • HTTP 200 response containing 'root:[x*]:0:0' pattern in the body indicates successful /etc/passwd file read via LFI exploitation.
  • Monitor for Phar deserialization payloads delivered via the 'path' parameter of download-csv.php, which can escalate LFI to Remote Code Execution.
  • ·The null byte technique for bypassing file extension validation in readfile() only works on old/legacy versions of PHP (prior to 5.3.4 where null byte handling was fixed). Exploitation is PHP-version dependent.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.