CVE-2022-50953 Overview
CVE-2022-50953 is a local file read vulnerability in the WordPress plugin admin-word-count-column version 2.2. The flaw exists in the download-csv.php endpoint, which fails to sanitize the path parameter against null byte injection and directory traversal sequences. Unauthenticated attackers can issue crafted GET requests to read arbitrary files from the underlying filesystem, including WordPress configuration files and operating system data. The vulnerability is classified under [CWE-22] Path Traversal.
Critical Impact
Unauthenticated attackers can read arbitrary files on the host, exposing credentials stored in wp-config.php, private keys, and system configuration.
Affected Products
- WordPress Plugin admin-word-count-column version 2.2
- WordPress installations with the vulnerable plugin enabled
- Hosting environments serving the download-csv.php endpoint
Discovery Timeline
- 2026-06-08 - CVE-2022-50953 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2022-50953
Vulnerability Analysis
The admin-word-count-column plugin exposes a download-csv.php script that accepts a user-controlled path parameter. The script uses the parameter to construct a filesystem path and serve the contents to the requester. The endpoint does not require authentication, so any remote visitor able to reach the WordPress site can invoke it.
The handler attempts to restrict file types, but the validation operates on the string representation of the path rather than the resolved filesystem path. Attackers bypass these checks by appending a null byte (%00) followed by an allowed extension. PHP versions affected by null byte handling in filesystem functions truncate the string at the null terminator, causing the underlying read to target a different file than the one validated.
Combined with ../ directory traversal sequences, the bypass allows reading any file readable by the web server process. Sensitive targets include wp-config.php, /etc/passwd, SSH private keys, and application logs.
Root Cause
The root cause is improper input neutralization in the path parameter handling within download-csv.php. The plugin trusts the supplied path string, performs only superficial extension checks, and passes the raw value to file read functions without canonicalization or allowlist enforcement.
Attack Vector
Exploitation requires a single HTTP GET request to download-csv.php with the path parameter set to a traversal payload containing directory escape sequences and a null byte terminator. No authentication, session, or user interaction is required. The Exploit-DB entry #50845 documents the request structure used to retrieve arbitrary files. See the VulnCheck Advisory for WordPress Plugin for additional technical context.
Detection Methods for CVE-2022-50953
Indicators of Compromise
- GET requests to /wp-content/plugins/admin-word-count-column/download-csv.php with a populated path query parameter
- URL-encoded null byte sequences (%00) within HTTP request parameters targeting the plugin
- Directory traversal patterns such as ../../../../ in access logs for the plugin endpoint
- Outbound responses from the plugin endpoint containing contents of wp-config.php or /etc/ files
Detection Strategies
- Search web server access logs for requests matching download-csv.php combined with path= parameters containing ../ or %00
- Alert on responses from the plugin endpoint exceeding typical CSV sizes or returning non-CSV content types
- Deploy web application firewall rules that block null byte characters in query string parameters
- Monitor file access auditing on wp-config.php for reads performed by the PHP-FPM or web server user
Monitoring Recommendations
- Forward WordPress access logs and PHP error logs to a centralized analytics pipeline for correlation
- Track plugin enumeration scans targeting /wp-content/plugins/admin-word-count-column/
- Establish a baseline for legitimate CSV export activity and alert on deviations
How to Mitigate CVE-2022-50953
Immediate Actions Required
- Disable and remove the admin-word-count-column plugin until a patched release is verified
- Rotate any credentials, API keys, and database passwords stored in wp-config.php on affected hosts
- Audit web server logs for prior exploitation attempts against download-csv.php
- Restrict direct HTTP access to plugin PHP files through web server configuration
Patch Information
No fixed version is listed in the available advisory data. Review the WordPress Plugin Description page for current release status and remove the plugin if an updated, patched version is not available.
Workarounds
- Block requests to download-csv.php at the reverse proxy or web application firewall layer
- Add filesystem ACLs that prevent the web server user from reading sensitive files outside the WordPress document root
- Configure PHP open_basedir to confine file operations to the WordPress installation directory
- Apply WAF signatures that reject query strings containing null bytes or directory traversal sequences
# Configuration example: block the vulnerable endpoint in nginx
location ~* /wp-content/plugins/admin-word-count-column/download-csv\.php$ {
deny all;
return 403;
}
# Restrict PHP file access scope in php.ini
# open_basedir = /var/www/html:/tmp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
