CVE-2022-0679 – The Narnoo Distributor WordPress plugin through... (How to Fix)

Q: What is the severity of CVE-2022-0679?

CVE-2022-0679 has a CVSS score of 9.8 (CRITICAL). The Narnoo Distributor WordPress plugin through version 2.5.1 contains a path traversal vulnerability that allows attackers to read arbitrary files on the server. Both unauthenticated and authenticated users can exploit this via a crafted AJAX request. This could lead to sensitive information disclosure or potentially remote code execution depending on system configuration.

📋 TL;DR

The Narnoo Distributor WordPress plugin through version 2.5.1 contains a path traversal vulnerability that allows attackers to read arbitrary files on the server. Both unauthenticated and authenticated users can exploit this via a crafted AJAX request. This could lead to sensitive information disclosure or potentially remote code execution depending on system configuration.

💻 Affected Systems

Products:

Narnoo Distributor WordPress Plugin

Versions: Versions up to and including 2.5.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default plugin configuration. Requires WordPress installation with the vulnerable plugin activated.

📦 What is this software?

Narnoo Distributor by Narnoo Distributor Project

View all CVEs affecting Narnoo Distributor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Sensitive file disclosure including configuration files, database credentials, and other critical system information.

🟢

If Mitigated

Limited impact with proper file permissions, web application firewalls, and network segmentation in place.

🌐 Internet-Facing: HIGH - Exploitable by unauthenticated users over the internet via standard web requests.

🏢 Internal Only: HIGH - Also exploitable from internal networks by authenticated or unauthenticated users.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request with crafted parameter. Public exploit code available. RCE requires additional conditions like writable directories or specific PHP configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.5.2 or later

Vendor Advisory: https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8

Restart Required: No

Instructions:

1. Update Narnoo Distributor plugin to version 2.5.2 or higher via WordPress admin panel. 2. Verify update completed successfully. 3. Clear any caching mechanisms.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or restrict access to the narnoo_distributor_lib_request AJAX action

Add to theme's functions.php: remove_action('wp_ajax_narnoo_distributor_lib_request', 'narnoo_distributor_lib_request');
Add to theme's functions.php: remove_action('wp_ajax_nopriv_narnoo_distributor_lib_request', 'narnoo_distributor_lib_request');

Web Application Firewall rule

all

Block requests containing path traversal patterns in lib_path parameter

WAF rule: Block requests where lib_path parameter contains '../' or similar path traversal sequences

🧯 If You Can't Patch

Deactivate the Narnoo Distributor plugin immediately
Implement strict file permissions (read-only for web user on sensitive directories)

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for Narnoo Distributor plugin version. If version is 2.5.1 or lower, system is vulnerable.

Check Version:

wp plugin list --name='Narnoo Distributor' --field=version (if WP-CLI installed) or check WordPress admin panel

Verify Fix Applied:

Verify plugin version is 2.5.2 or higher in WordPress admin panel. Test AJAX endpoint with invalid path to confirm proper validation.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /wp-admin/admin-ajax.php with action=narnoo_distributor_lib_request
lib_path parameter containing '../' or similar traversal sequences
Unusual file access patterns in web server logs

Network Indicators:

POST requests to admin-ajax.php with lib_path parameter
Responses containing file contents in JSON format

SIEM Query:

source="web_server_logs" AND uri="/wp-admin/admin-ajax.php" AND query="action=narnoo_distributor_lib_request" AND (query="../" OR query="..\")

📊 Metadata

CVE ID: CVE-2022-0679

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: March 28, 2022

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0679, you might also want to check these: