PatchSiren cyber security CVE debrief
CVE-2022-50953 brooks24 CVE debrief
CVE-2022-50953 is a local file read vulnerability in the WordPress Plugin admin-word-count-column 2.2. The vulnerability allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path parameter. Attackers can send GET requests to download-csv.php with a crafted path parameter containing directory traversal sequences and null bytes to bypass file restrictions and read sensitive files like system configuration.
- Vendor
- brooks24
- Product
- admin-word-count-column
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of WordPress Plugin admin-word-count-column 2.2 should be aware of this vulnerability and take action to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.9 and a severity of MEDIUM. It is caused by a null byte injection vulnerability in the path parameter of the download-csv.php file.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a patched version of the plugin if available.
- Restrict access to the download-csv.php file.
- Monitor for suspicious activity.
Evidence notes
The CVE record was published on 2026-06-08T02:16:22.647Z and modified on 2026-06-08T14:59:44.750Z.
Official resources
CVE-2022-50953 was disclosed by [email protected].