EmailKit WordPress Plugin Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability allowing arbitrary file read has been identified in the EmailKit WordPress plugin, specifically in versions through 1.6.3. The issue arises in the TemplateData class, where the action() function directly passes user-supplied input from the 'emailkit-editor-template' REST API parameter to file_get_contents(). This approach lacks proper path validation, sanitization, and restrictions to an allowed directory. As a result, authenticated attackers with Administrator-level access can exploit this vulnerability to read arbitrary files on the server, such as /etc/passwd or wp-config.php, by providing a traversal path. The retrieved file contents are saved as post meta and can be accessed later via the fetch-data REST API endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially including critical configuration files or user data.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can send a request to the 'emailkit-editor-template' REST API endpoint. The request must include a traversal path that points to a file accessible on the server, such as /etc/passwd or wp-config.php. The response will contain the contents of the specified file, which can then be stored as post meta and retrieved later via the fetch-data REST API endpoint.

Remediation

Users are advised to update the EmailKit WordPress plugin to version 1.6.4 or later, where this vulnerability has been patched.