CVE-2022-0679

Name of the Vulnerable Software and Affected Versions Narnoo Distributor WordPress plugin versions 2.5.1 and earlier

Description The issue arises from the failure to validate and sanitize the lib path parameter, which is then passed into a call to require() via the "narnoo distributor lib request" AJAX action. This action is available to both unauthenticated and authenticated users, resulting in the disclosure of arbitrary files as the content of the file is displayed in the response as JSON data. Depending on the underlying system and its configuration, this could also lead to remote code execution (RCE) with various techniques.

Recommendations For versions 2.5.1 and earlier, consider disabling the narnoo distributor lib request AJAX action until a patch is available to prevent the disclosure of arbitrary files and potential RCE. Restrict access to the lib path parameter to minimize the risk of exploitation.