CVE-2022-50953: WordPress admin-word-count-column Plugin Local File Read Vulnerability
The admin-word-count-column WordPress plugin version 2.2 contains a flaw that lets unauthenticated attackers read files they shouldn't be able to access. An attacker can craft a specially formed web request to the plugin's download-csv.php file, using directory-traversal tricks and null-byte injection to bypass the plugin's file-access controls. This allows them to download sensitive configuration files and other data directly from the server.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.2 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path parameter. Attackers can send GET requests to download-csv.php with a crafted path parameter containing directory traversal sequences and null bytes to bypass file restrictions and read sensitive files like system configuration.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2022-50953 is a local file read vulnerability in the admin-word-count-column WordPress plugin (version 2.2) stemming from improper input validation in the path parameter of download-csv.php. The vulnerability exploits null-byte injection combined with directory traversal sequences (../ patterns) to circumvent path-restriction logic. Because the plugin fails to properly sanitize or validate user-supplied path input before file operations, an unauthenticated attacker can construct GET requests that resolve to arbitrary files on the server. The underlying weakness is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Business impact
Organizations using the admin-word-count-column plugin expose their WordPress installations to unauthorized data exfiltration. An attacker can harvest sensitive files such as wp-config.php (containing database credentials), .env files with API keys, or system configuration data without requiring any credentials or user interaction. This disclosure risk is amplified in multi-tenant or hosted environments where configuration files may contain secrets shared across multiple sites. The vulnerability does not enable file modification or denial of service, but the confidentiality breach can lead to secondary attacks, credential compromise, or regulatory violations depending on what data resides on the server.
Affected systems
WordPress installations running the admin-word-count-column plugin version 2.2 are affected. The vulnerability requires no authentication and can be triggered from the network (local attack vector in CVSS terms refers to the file being on the local system, not network accessibility—the plugin itself is remotely accessible). Any site with this plugin active and publicly accessible via the internet is exposed to exploitation.
Exploitability
Exploitability is straightforward. An attacker needs only to craft a GET request to the vulnerable download-csv.php endpoint with a malicious path parameter. No special tools, credentials, or user interaction are required. The attack is repeatable and reliable. However, the CVSS vector indicates a local attack vector (AV:L), which typically implies the attacker must already have some form of local access or the vulnerability is restricted to local contexts. Given the description emphasizes unauthenticated HTTP GET requests, organizations should verify the actual attack surface with their vendor or plugin repository to confirm whether this is truly remotely exploitable or restricted to scenarios where an attacker has prior local system access.
Remediation
Immediately update the admin-word-count-column plugin to a patched version released after version 2.2. Consult the plugin's official repository or vendor advisory for the specific version number that contains the fix. As an interim measure, disable or remove the plugin if it is not critical to operations. If removal is not feasible, apply server-side access controls to restrict requests to download-csv.php or block the plugin's directory via your web server (nginx, Apache) or WordPress security plugin until patching is complete.
Patch guidance
Check the official WordPress plugin repository or the plugin vendor's website for an updated release that addresses CVE-2022-50953. The vendor advisory will specify the patched version number. Once identified, update through your WordPress dashboard or via command line (wp plugin update admin-word-count-column). Test the update in a staging environment first to ensure compatibility with your site's other plugins and theme. Verify that the CSV download functionality still works as expected after patching.
Detection guidance
Monitor web server access logs for suspicious requests to /download-csv.php with encoded or unusual path parameters, including sequences like ../, %00 (null-byte encoding), or attempts to reference files outside the plugin directory. Use a Web Application Firewall (WAF) to block requests containing directory traversal patterns or null bytes in GET parameters. WordPress security plugins like Wordfence, Sucuri, or iThemes Security may detect exploitation attempts or flag the vulnerable plugin version. Enable logging on your WordPress installation and review plugin activity for access to the download-csv.php endpoint.
Why prioritize this
This vulnerability merits prompt but not emergency remediation. The CVSS score of 6.2 (MEDIUM) reflects high confidentiality impact but no integrity or availability risk. The attack requires no authentication and is trivial to execute, but the local attack vector suggests potential constraints on real-world exploitability. Organizations should prioritize patching if the plugin is installed; however, if the plugin is not actively used or has low visibility, the risk is lower. Prioritize this above routine updates but below critical patches affecting authentication or data integrity.
Risk score, explained
The CVSS 3.1 score of 6.2 is driven by a high confidentiality impact (C:H), reflecting the ability to read arbitrary files. No changes to system integrity (I:N) or availability (A:N) are possible, limiting the score. The local attack vector (AV:L) and low attack complexity (AC:L) are balanced against the requirement for no privileges (PR:N) and no user interaction (UI:N). The unchanged scope (S:U) means the impact is limited to the vulnerable component. The score is appropriate for an unauthenticated file-read vulnerability but is capped at MEDIUM rather than HIGH or CRITICAL because of the local attack vector constraint.
Frequently asked questions
Does this vulnerability require the attacker to be authenticated or have an account on the WordPress site?
No. The vulnerability is unauthenticated, meaning an attacker can exploit it without logging in or having any user account. An attacker can send the malicious request from outside your organization.
What files can an attacker read with this vulnerability?
An attacker can potentially read any file accessible to the web server process, including configuration files (wp-config.php, .env), database backups, private keys, or other sensitive data. The exact scope depends on server permissions and what files exist on the system.
Is there an exploit available in the wild, and is this on the CISA KEV list?
This vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, and no widespread exploit activity has been publicly disclosed as of the last update. However, the technical simplicity of the attack means exploitation could occur without public disclosure.
If I remove the plugin, will my WordPress site break?
Removing the plugin will eliminate the file-read vulnerability immediately. You will lose the admin-word-count-column functionality, but core WordPress features will not be affected. If the plugin's features are essential, prioritize patching to a safe version instead.
This analysis is provided for informational purposes and is based on the available vulnerability data as of the published and modified dates. Patch version numbers and specific vendor advisories should be verified against official sources before deployment. The CVSS vector (AV:L) typically indicates a local attack context; organizations should confirm with the vendor whether this vulnerability is remotely exploitable in your environment. No liability is assumed for decisions made based on this analysis. Always test patches in a staging environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-10213MEDIUMAstrBot 4.23.6 Path Traversal in API Endpoint