Executive Summary

The WordPress Plugin admin-word-count-column version 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files on the server.

This is possible because the plugin's download-csv.php file uses a 'path' parameter that can be manipulated with null byte injection and directory traversal sequences. This manipulation bypasses file restrictions and enables attackers to access sensitive files such as system configuration files.

Specifically, the vulnerable code uses 'readfile($_GET['path'] .'cpwc.csv')', which can be exploited by appending a null byte to the path parameter, allowing attackers to read files like '/etc/passwd'.

This vulnerability affects PHP versions 5.3.2 and below due to the way null byte injection works.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to read sensitive files on your server without authentication.

• Attackers can access system configuration files, which may contain sensitive information.
• Exposure of sensitive files can lead to further attacks or compromise of the server.
• Since the vulnerability allows arbitrary file reading, confidential data stored on the server could be leaked.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the local file read flaw using crafted GET requests targeting the download-csv.php file with a manipulated 'path' parameter.

A typical detection command involves sending a request to the vulnerable plugin's download-csv.php endpoint with directory traversal sequences and a null byte to try to read sensitive files such as /etc/passwd.

• curl 'http://<target>/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd%00'

If the response contains contents of the targeted file (e.g., /etc/passwd), it indicates the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include removing or disabling the vulnerable admin-word-count-column plugin version 2.2 from your WordPress installation.

Since the plugin was removed from the WordPress Plugin Directory due to this security issue and has not been updated for many years, it is recommended not to use it.

Additionally, restrict access to the download-csv.php file or the plugin directory via web server configuration to prevent unauthenticated access.

Ensure your PHP version is updated beyond 5.3.2, as the null byte injection exploit is limited to PHP versions 5.3.2 and below.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to read arbitrary files on the server, including sensitive system configuration files. Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

By enabling attackers to bypass file restrictions and access sensitive files, the vulnerability increases the risk of data breaches and unauthorized disclosure, potentially resulting in non-compliance with these common standards and regulations.

Useful 0 Not Useful 0