PatchSiren cyber security CVE debrief
CVE-2022-50956 Wordpress CVE debrief
CVE-2022-50956 is an unauthenticated local file read affecting WordPress plugin amministrazione-aperta 3.7.3. The supplied record says insufficient validation of the open GET parameter in dispatcher.php lets an attacker supply file paths and read sensitive files accessible to the web server. Any deployment still using the plugin should treat this as a serious exposure risk because file disclosure can reveal configuration, secrets, or other sensitive data.
- Vendor
- Wordpress
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
WordPress site owners, administrators, and hosting teams running plugin amministrazione-aperta 3.7.3; security teams responsible for web application hardening; and anyone monitoring for possible exposure of web-server-readable secrets.
Technical summary
The CVE record and linked VulnCheck description identify a local file read issue in dispatcher.php. The vulnerable input is the open GET parameter, which is not validated sufficiently before file inclusion or file access behavior occurs. NVD maps the issue to CWE-22. The impact is confidentiality-focused: unauthenticated attackers may be able to read arbitrary files that the web server account can access.
Defensive priority
Prioritize remediation quickly if the plugin is installed and active. Although the supplied CVSS score is Medium, unauthenticated file read can expose credentials and configuration data, so exposure risk may be operationally high in real deployments.
Recommended defensive actions
- Identify whether plugin amministrazione-aperta 3.7.3 is installed anywhere in your environment.
- Disable or remove the plugin on systems where it is not strictly required.
- If the plugin must remain in use, verify whether the vendor has issued a fixed version before re-enabling it.
- Review web server and application logs for requests to dispatcher.php using the open parameter.
- Look for signs that sensitive files may have been exposed, especially configuration files and logs readable by the web server.
- Rotate credentials and secrets if there is any indication that sensitive local files were disclosed.
- Add temporary filtering or WAF rules to reduce exposure to suspicious dispatcher.php/open parameter requests until remediation is complete.
Evidence notes
The supplied NVD record for CVE-2022-50956 lists the vulnerability status as Received, assigns CWE-22, and includes references to the WordPress plugin page, a VulnCheck advisory, and an Exploit-DB entry. The description in the prompt and source corpus consistently identifies the issue as an unauthenticated local file read in WordPress plugin amministrazione-aperta 3.7.3 via insufficient validation of the open parameter in dispatcher.php. This debrief uses only those supplied facts and the official record links.
Official resources
Publicly recorded in the supplied CVE/NVD data on 2026-05-10. The linked references describe an unauthenticated local file read in WordPress plugin amministrazione-aperta 3.7.3 caused by insufficient validation of the open parameter in `dis