CVE-2022-0679
CRITICAL EXPLOITED NUCLEINarnoo Distributor WordPress <2.5.1 - Info Disclosure
Title source: llmExploitation Summary
CVE-2022-0679 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
Nuclei Templates (1)
WordPress Narnoo Distributor <=2.5.1 - Local File Inclusion
CRITICALVERIFIEDby Veshraj
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8
Scores
CVSS v3
9.8
EPSS
0.4783
EPSS Percentile
98.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2023-12-03
CWE
CWE-22
Status
published
Products (1)
narnoo_distributor_project/narnoo_distributor
< 2.5.1
Published
Mar 28, 2022
Tracked Since
Feb 18, 2026