CVE-2022-50953
Description
WordPress admin-word-count-column plugin 2.2 is vulnerable to local file read via null byte injection in the path parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress admin-word-count-column plugin 2.2 is vulnerable to local file read via null byte injection in the path parameter.
Vulnerability
The WordPress plugin admin-word-count-column version 2.2 contains a local file read vulnerability. This vulnerability exists in the download-csv.php file and is exploitable by unauthenticated attackers through null byte injection in the path parameter [2]. The plugin was closed on March 29, 2022, due to a security issue [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to download-csv.php. The request must include a path parameter containing directory traversal sequences and null bytes. For example, ?path=../../../../../../../../../../../../etc/passwd\0 can be used to bypass file restrictions [3]. This exploit is effective on PHP versions 5.3.2 and below [3].
Impact
Successful exploitation allows an attacker to read arbitrary files from the server. This includes sensitive system configuration files such as /etc/passwd, leading to information disclosure [2, 3]. The scope of the compromise is limited to files readable by the web server process.
Mitigation
This plugin has been closed and is no longer available for download due to a security issue [1]. The vulnerable version is 2.2. No patch information is available as the plugin is discontinued. Users should remove the plugin if it is still installed on their WordPress site.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `download-csv.php` script in the admin-word-count-column plugin is vulnerable to local file read via null byte injection in the `path` parameter."
Attack vector
An unauthenticated attacker can send a GET request to `download-csv.php` with a crafted `path` parameter. This parameter can include directory traversal sequences and a null byte to bypass file restrictions and read arbitrary files on the server. For example, a request like `?path=../../../../../../../../../../../../etc/passwd\0` can be used to read the `/etc/passwd` file [ref_id=1]. This vulnerability is noted to work with PHP versions 5.3.2 and below [ref_id=1].
Affected code
The vulnerable code resides in the `plugins/admin-word-count-column/download-csv.php` file. Specifically, the `readfile($_GET['path'] . 'cpwc.csv');` line is responsible for reading the file based on the user-supplied `path` parameter without proper sanitization [ref_id=1].
What the fix does
The advisory does not provide a patch or specific remediation steps. However, the vulnerability can be mitigated by disabling or removing the admin-word-count-column plugin. If the plugin must be used, updating to a version that addresses the null byte injection and path traversal in `download-csv.php` would be necessary.
Preconditions
- inputThe `path` parameter must be supplied in a GET request to `download-csv.php`.
- configThe WordPress plugin 'admin-word-count-column' version 2.2 must be installed.
- configThe PHP version must be 5.3.2 or below for the null byte injection to be effective [ref_id=1].
Reproduction
localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.