CVE-2022-1390 (GCVE-0-2022-1390)

Vulnerability from cvelistv5 – Published: 2022-04-25 15:51 – Updated: 2024-08-03 00:03
VLAI KEVintel KEV
Title
Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read
Summary
The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique
Severity
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Vendor Product Version
Unknown Admin Word Count Column Affected: 2.2 , ≤ 2.2 (custom)
Create a notification for this product.
Credits
Hassan Khan Yusufzai - Splint3r7
KEVintel KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: fb10bf96-f066-46c9-9993-666f552be8b3

Vulnerability ID: CVE-2022-1390

Status: Confirmed

Status Updated: 2026-06-06 00:00 UTC

Exploited: Yes

Timestamps
First Seen: 2026-06-06
Asserted: 2026-06-06
Scope
Notes: KEVIntel entry: Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read | Affected: Unknown / Admin Word Count Column | CVSS: 9.8 (CRITICAL) | EPSS: 0.20846 | Used in malware: unknown | Not yet in CISA KEV: True
Evidence

Type: Public Report

Signal: Successful Exploitation

Confidence: 70%

Source: kevintel

Details
Feed KEVIntel (kevintel.com)
Title Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read
Vendor Unknown
Product Admin Word Count Column
Added Date 2026-06-06T00:00:00.000Z
Cvss Score 9.8
Epss Score 0.20846
Cvss Severity CRITICAL
Epss Percentile 0.97232
Used In Malware unknown
Ahead Of Cisa Kev None
Not Yet In Cisa Kev True
References
Created: 2026-06-19 12:45 UTC | Updated: 2026-06-19 12:45 UTC
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:03:06.263Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://packetstormsecurity.com/files/166476/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Admin Word Count Column",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThanOrEqual": "2.2",
              "status": "affected",
              "version": "2.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Hassan Khan Yusufzai - Splint3r7"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-25T15:51:24.000Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://packetstormsecurity.com/files/166476/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Admin Word Count Column \u003c= 2.2 - Unauthenticated Arbitrary File Read",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-1390",
          "STATE": "PUBLIC",
          "TITLE": "Admin Word Count Column \u003c= 2.2 - Unauthenticated Arbitrary File Read"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Admin Word Count Column",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2.2",
                            "version_value": "2.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Hassan Khan Yusufzai - Splint3r7"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique"
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990"
            },
            {
              "name": "https://packetstormsecurity.com/files/166476/",
              "refsource": "MISC",
              "url": "https://packetstormsecurity.com/files/166476/"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-1390",
    "datePublished": "2022-04-25T15:51:24.000Z",
    "dateReserved": "2022-04-19T00:00:00.000Z",
    "dateUpdated": "2024-08-03T00:03:06.263Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-1390",
      "date": "2026-06-19",
      "epss": "0.22133",
      "percentile": "0.97368"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:admin_word_count_column_project:admin_word_count_column:*:*:*:*:*:wordpress:*:*\", \"versionEndIncluding\": \"2.2\", \"matchCriteriaId\": \"5F9A3865-14CC-41ED-B6DA-0BA59F1F9DAE\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique\"}, {\"lang\": \"es\", \"value\": \"El plugin Admin Word Count Column de WordPress versiones hasta 2.2 no comprueba el par\\u00e1metro de la ruta dado a readfile(), lo que podr\\u00eda permitir a atacantes no autenticados leer archivos arbitrarios en un servidor que ejecute una versi\\u00f3n antigua de PHP susceptible a la t\\u00e9cnica del byte nulo. Esto tambi\\u00e9n podr\\u00eda conllevar un RCE al usar una t\\u00e9cnica de deserializaci\\u00f3n de Phar\"}]",
      "id": "CVE-2022-1390",
      "lastModified": "2024-11-21T06:40:38.140",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-04-25T16:16:08.720",
      "references": "[{\"url\": \"https://packetstormsecurity.com/files/166476/\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://packetstormsecurity.com/files/166476/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"contact@wpscan.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-1390\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-04-25T16:16:08.720\",\"lastModified\":\"2024-11-21T06:40:38.140\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique\"},{\"lang\":\"es\",\"value\":\"El plugin Admin Word Count Column de WordPress versiones hasta 2.2 no comprueba el par\u00e1metro de la ruta dado a readfile(), lo que podr\u00eda permitir a atacantes no autenticados leer archivos arbitrarios en un servidor que ejecute una versi\u00f3n antigua de PHP susceptible a la t\u00e9cnica del byte nulo. Esto tambi\u00e9n podr\u00eda conllevar un RCE al usar una t\u00e9cnica de deserializaci\u00f3n de Phar\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:admin_word_count_column_project:admin_word_count_column:*:*:*:*:*:wordpress:*:*\",\"versionEndIncluding\":\"2.2\",\"matchCriteriaId\":\"5F9A3865-14CC-41ED-B6DA-0BA59F1F9DAE\"}]}]}],\"references\":[{\"url\":\"https://packetstormsecurity.com/files/166476/\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://packetstormsecurity.com/files/166476/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.