Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read

Vulnerability

The Admin Word Count Column WordPress plugin through version 2.2 fails to validate the path parameter passed to the readfile() function. An unauthenticated attacker can exploit this to read arbitrary files from the server, particularly on older PHP versions susceptible to the null byte technique. This vulnerability could also lead to remote code execution (RCE) through Phar deserialization. [1]

Exploitation

An attacker does not require authentication or any prior access to the site. The vulnerability is triggered by crafting a request that supplies a malicious path parameter to the plugin's file reading functionality. On servers running PHP versions vulnerable to null byte injection, the attacker can append a null byte to bypass path restrictions. Furthermore, if the server allows uploading or placing a crafted Phar file (e.g., via other means), the attacker can invoke Phar deserialization by calling readfile() on that file path. [1]

Impact

Successful exploitation enables an unauthenticated attacker to read arbitrary files from the WordPress server, potentially exposing sensitive data such as configuration files, credentials, or source code. If combined with a Phar deserialization technique, the attacker can achieve remote code execution, leading to full compromise of the WordPress instance and potentially the underlying server. [1]

Mitigation

As of the public disclosure date, no official fix or patched version has been released. The plugin is listed with "No known fix" [1]. Administrators are advised to remove or deactivate the plugin immediately. If the plugin is still required, ensure the server runs a modern PHP version (7.2+), as the null byte technique is mitigated in such versions, though the arbitrary file read vulnerability remains exploitable via other means. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update. [1]