Login Sign Up

CVE-2022-1390

9.8 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

The Admin Word Count Column WordPress plugin through version 2.2 contains a path traversal vulnerability in the readfile() function that allows unauthenticated attackers to read arbitrary files on servers running old PHP versions susceptible to null byte injection. This can lead to Remote Code Execution via Phar deserialization. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:
  • Admin Word Count Column WordPress Plugin
Versions: All versions through 2.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires old PHP versions (typically <7.0) for null byte exploitation, but file reading may work on newer versions

📦 What is this software?

Admin Word Count Column by Admin Word Count Column Project

View all CVEs affecting Admin Word Count Column →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via RCE leading to data theft, malware deployment, and complete system control

🟠

Likely Case

Arbitrary file disclosure including configuration files, database credentials, and sensitive data

🟢

If Mitigated

Limited impact with proper file permissions and modern PHP versions

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and trivial to execute

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.1

Vendor Advisory: https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990

Restart Required: No

Instructions:

1. Update Admin Word Count Column plugin to version 2.2.1 or later via WordPress admin panel. 2. Verify update completed successfully. 3. Test plugin functionality.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Admin Word Count Column plugin until patched

wp plugin deactivate admin-word-count-column

Update PHP version

linux

Upgrade to PHP 7.0+ to mitigate null byte injection vulnerability

sudo apt update && sudo apt install php7.4

🧯 If You Can't Patch

  • Remove plugin entirely from WordPress installation
  • Implement web application firewall rules to block path traversal attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for Admin Word Count Column plugin version. If version is 2.2 or earlier, system is vulnerable.

Check Version:

wp plugin get admin-word-count-column --field=version

Verify Fix Applied:

Verify plugin version is 2.2.1 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns in web server logs
  • Requests containing path traversal sequences like ../ or null bytes

Network Indicators:

  • HTTP requests to plugin endpoints with file path parameters

SIEM Query:

source="web_access.log" AND (uri="*admin-word-count-column*" AND (uri="*../*" OR uri="*%00*"))

📊 Metadata

CVE ID: CVE-2022-1390
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: April 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1390, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)