CVE-2022-50953 MEDIUM

CVE-2022-50953: WordPress Plugin admin-word-count-column 2.2 Local File Read

Vendor Brooks24

Product admin-word-count-column

Weakness CWE-22 · Path traversal

Published June 8, 2026

Last update June 8, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path parameter. Attackers can send GET requests to download-csv.php with a crafted path parameter containing directory traversal sequences and null bytes to bypass file restrictions and read sensitive files like system configuration.

Key dates

Disclosure timeline

June 8, 2026 CVE published

June 8, 2026 Record updated