CVE-2022-1390 Scanner
Detects 'Path Traversal' vulnerability in Admin Word Count Column plugin for WordPress affects v. through 2.2.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 second
Time Interval
4 week
Scan only one
Url
Toolbox
-
The Admin Word Count Column plugin is a popular WordPress tool used to track the number of words in a post or page. This plugin can be used to keep track of the word count of articles, blog posts, and other written content displayed on a WordPress website. It's an essential tool for bloggers, journalists, and writers who want to produce SEO-friendly articles that comply with word count guidelines.
Unfortunately, this plugin has recently been discovered to have a vulnerability known as CVE-2022-1390. This vulnerability occurs due to a lack of validation of the path parameter in the plugin's readfile() function. As a result, attackers can use the null byte technique to read any arbitrary file on a server running an older version of PHP susceptible to the vulnerability. This can lead to RCE by using Phar Deserialization technique, presenting a significant risk for website owners.
When exploited, this vulnerability can lead to arbitrary file access and remote code execution, potentially allowing an attacker to steal sensitive data or take over a site's entire infrastructure. This could expose critical information such as user login credentials, financial data, and confidential company information, leading to disastrous consequences for businesses and individuals alike.
In conclusion, the Admin Word Count Column WordPress plugin has a significant vulnerability that can lead to severe consequences for website owners. Through the proactive implementation of the precautions outlined above, website owners and WordPress administrators can protect themselves against this vulnerability. By using our s4e.io platform pro features, you can quickly identify vulnerabilities in your digital assets and receive actionable advice about improving your website's cybersecurity.
REFERENCES