CVE-2022-1390
published 2022-04-25CVE-2022-1390: The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.13%
97.4th percentile
The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| admin_word_count_column_project | admin_word_count_column | <= 2.2 | — |
| fortinet | fortinac | — | — |
| fortinet | fortinac-f | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0↗
- →Look for unauthenticated GET requests to download-csv.php with a 'path' parameter containing directory traversal sequences (../../../../) and a null byte (\0) to bypass file extension checks on old PHP versions. ↗
- →HTTP 200 response containing 'root:[x*]:0:0' pattern in the body indicates successful /etc/passwd file read via LFI exploitation. ↗
- →Monitor for Phar deserialization payloads delivered via the 'path' parameter of download-csv.php, which can escalate LFI to Remote Code Execution. ↗
- ·The null byte technique for bypassing file extension validation in readfile() only works on old/legacy versions of PHP (prior to 5.3.4 where null byte handling was fixed). Exploitation is PHP-version dependent. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-35fp-65cr-47q7: The Admin Word Count Column WordPress plugin through 2
ghsa_unreviewed·2022-04-26
CVE-2022-1390 [CRITICAL] CWE-22 GHSA-35fp-65cr-47q7: The Admin Word Count Column WordPress plugin through 2
The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique
VulnCheck
admin_word_count_column_project admin_word_count_column Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 9.8
CVE-2022-1390 [CRITICAL] admin_word_count_column_project admin_word_count_column Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
admin_word_count_column_project admin_word_count_column Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique
Affected: admin_word_count_column_project admin_word_count_column
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-1
Ivanti
Ivanti Security Advisory: CVE-2024-8322
vendor_ivanti·2024-09-10·CVSS 4.3
CVE-2024-8322 [MEDIUM] CWE-1390 Ivanti Security Advisory: CVE-2024-8322
Ivanti Security Advisory: CVE-2024-8322
Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.
CVE IDs: CVE-2024-8322
CVSS Base Score: 4.3
Severity: MEDIUM
CWEs: CWE-1390
Fortinet
A weak authentication vulnerability [CWE-1390] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all ve...
vendor_fortinet·2023-05-03·CVSS 5.3
CVE-2022-45860 [MEDIUM] CWE-1390 A weak authentication vulnerability [CWE-1390] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all ve...
FG-IR-22-464: A weak authentication vulnerability [CWE-1390] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all ve...
A weak authentication vulnerability [CWE-1390] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increased chance of success.
CVEs: CVE-2022-45860
CWEs: CWE-1390, CWE-287
CVSS: 5.3 (medium)
Affected products: FortiNAC, FortiNac-f
No detection rules found.
Nuclei
WordPress Admin Word Count Column 2.2 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2022-1390 [CRITICAL] WordPress Admin Word Count Column 2.2 - Local File Inclusion
WordPress Admin Word Count Column 2.2 - Local File Inclusion
The plugin does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique.
Template:
id: CVE-2022-1390
info:
name: WordPress Admin Word Count Column 2.2 - Local File Inclusion
author: daffainfo,Splint3r7
severity: critical
description: |
The plugin does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique.
im
2022-04-25
Published
Exploited in the wild