EmailKit WordPress Plugin Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability allowing arbitrary file read has been identified in the EmailKit plugin for WordPress, affecting all versions through 1.6.1. The issue arises in the create_template REST API endpoint, where the emailkit-editor-template parameter is accepted without proper path validation. This flaw enables authenticated attackers with Author-level permissions or higher to access arbitrary files on the server, including sensitive configuration files such as /etc/passwd and wp-config.php. The accessed file contents are then stored in post meta and can be sent via email using MetForm's email confirmation feature.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, which could include critical WordPress configuration files and other private data.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level permissions or higher can send a POST request to the create-template REST API endpoint. The request must include a crafted emailkit-editor-template parameter that exploits the path traversal vulnerability by navigating to a sensitive file on the server. The response will contain the contents of the requested file, which can then be exfiltrated through MetForm's email confirmation feature.

Remediation

Users are advised to update the EmailKit WordPress plugin to version 1.6.2 or later, where this vulnerability has been patched.