EmailKit WordPress Plugin Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability allowing arbitrary file read has been identified in the EmailKit plugin for WordPress, affecting all versions through 1.6.5. The issue arises in the create_template() method of the CheckForm class, where the realpath() function is used on a potentially non-existent directory. This flaw is exploited in PHP 8.x, where false is converted to an empty string, bypassing path validation. As a result, authenticated attackers with Author-level access can read sensitive files, such as wp-config.php, by providing an absolute path through the emailkit-editor-template REST API parameter.

Impact

Exploitation of this vulnerability allows authenticated users with Author-level access to read arbitrary files from the server, including sensitive configuration files.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access can send a request to the emailkit-editor-template REST API parameter with an absolute path to a file on the server. The path traversal validation will be bypassed, allowing access to the specified file.

Remediation

Users are advised to update the EmailKit plugin to version 1.6.6 or later, where this vulnerability has been patched.