CVE-2022-50956 Overview
CVE-2022-50956 is a local file read vulnerability in the WordPress plugin amministrazione-aperta version 3.7.3. The flaw resides in dispatcher.php, where the open GET parameter is passed to file inclusion logic without adequate validation. Unauthenticated attackers can supply arbitrary file paths through this parameter to read any file accessible to the web server process. The issue is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Public exploit code is documented in Exploit-DB #50838 and the VulnCheck Advisory.
Critical Impact
Unauthenticated attackers can read arbitrary files from the WordPress host, exposing configuration files such as wp-config.php, database credentials, and other sensitive server-side data.
Affected Products
- WordPress Plugin amministrazione-aperta version 3.7.3
- WordPress installations with the vulnerable plugin enabled
- Web servers hosting affected plugin deployments
Discovery Timeline
- 2026-05-10 - CVE-2022-50956 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2022-50956
Vulnerability Analysis
The vulnerability stems from how dispatcher.php in the amministrazione-aperta plugin processes the open GET parameter. The script accepts user-supplied paths and passes them to file inclusion or read operations without sanitization. Attackers can traverse the filesystem using sequences such as ../ to escape the plugin directory. Because the endpoint does not require authentication, any remote user reaching the WordPress instance can issue the request. The plugin supports administrative document handling, which is why file access primitives exist in the codebase, but they are exposed without access controls.
Root Cause
The root cause is improper input validation on a path parameter, mapped to [CWE-22]. The open parameter is treated as a trusted path argument and concatenated into a file read operation. No allow-listing, canonicalization, or directory boundary check is applied before the read executes.
Attack Vector
An attacker sends an HTTP GET request to the plugin's dispatcher.php endpoint with the open parameter set to a traversal sequence pointing at a target file. The web server returns the contents of any file readable by its process user. Typical targets include wp-config.php, /etc/passwd, application logs, and backup files. The attack requires no credentials and no user interaction.
The vulnerability is described in prose only; refer to Exploit-DB #50838 for the published proof-of-concept request format.
Detection Methods for CVE-2022-50956
Indicators of Compromise
- HTTP requests to dispatcher.php containing the open parameter with ../ traversal sequences or absolute paths.
- Access log entries showing requests for the plugin endpoint referencing files such as wp-config.php, /etc/passwd, or .env.
- Unexpected outbound traffic following successful file reads, indicating data exfiltration.
Detection Strategies
- Inspect web server access logs for requests matching dispatcher.php?open= with suspicious path values.
- Deploy web application firewall rules that block path traversal patterns targeting WordPress plugin endpoints.
- Correlate plugin endpoint hits with subsequent authentication failures or privilege escalation attempts that may use harvested credentials.
Monitoring Recommendations
- Enable verbose access logging on WordPress hosts and forward logs to a centralized analytics platform.
- Alert on any unauthenticated access to wp-content/plugins/amministrazione-aperta/ paths.
- Monitor for reads or transmissions of wp-config.php content patterns in HTTP responses.
How to Mitigate CVE-2022-50956
Immediate Actions Required
- Disable or uninstall the amministrazione-aperta plugin until a fixed version is verified through the WordPress plugin page.
- Rotate all credentials stored in wp-config.php, including database passwords and authentication keys, if exposure is suspected.
- Audit web server logs for prior exploitation attempts referencing the open parameter.
Patch Information
No confirmed patched version is referenced in the available advisories. Administrators should check the WordPress plugin repository for updates beyond 3.7.3 and consult the VulnCheck Advisory for vendor guidance.
Workarounds
- Block external access to wp-content/plugins/amministrazione-aperta/dispatcher.php at the web server or WAF level.
- Restrict filesystem permissions so the web server user cannot read sensitive files outside the document root.
- Apply WAF signatures that deny requests containing path traversal sequences on plugin endpoints.
# Example nginx rule to block direct access to the vulnerable endpoint
location ~* /wp-content/plugins/amministrazione-aperta/dispatcher\.php {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
