– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-22334 (metadata-based):
This vulnerability is an authenticated path traversal flaw in the Woocommerce Book Price WordPress plugin, version 1.3 and earlier. It allows authenticated users with Subscriber-level permissions or higher to download arbitrary files from the server. The CVSS score of 6.5 (Medium) reflects its network accessibility, low attack complexity, and high confidentiality impact.

Atomic Edge research identifies the root cause as CWE-22, Improper Limitation of a Pathname to a Restricted Directory. The plugin likely contains a file download or read function that accepts user-supplied input for a file path parameter. This input is not properly sanitized to prevent directory traversal sequences like ‘../’. The vulnerability description confirms the flaw exists in all versions up to 1.3. Without source code, Atomic Edge infers the vulnerable function is an AJAX handler or admin endpoint accessible to low-privileged users, given the Subscriber+ requirement.

Exploitation requires an attacker to possess a valid Subscriber account. The attacker would send a crafted HTTP request to a plugin-specific endpoint, possibly /wp-admin/admin-ajax.php. The request would include an action parameter corresponding to a plugin file download function and a file path parameter containing traversal sequences. A typical payload would be ‘action=woo_book_price_download&file=../../../wp-config.php’ or similar. The server would then return the contents of the specified file instead of restricting access to an intended directory.

Remediation requires implementing proper path validation. The fix should validate user-supplied filenames against an allowlist of permitted files. If an allowlist is impractical, the code must sanitize the input by resolving the full path and checking it begins with the intended base directory. WordPress functions like realpath() combined with strpos() checks are common solutions. Input validation must occur before any file operations.

Successful exploitation leads to full server file disclosure for files readable by the web server process. Attackers can retrieve WordPress configuration files (wp-config.php) containing database credentials, secret keys, and other sensitive data. They can also access system files (/etc/passwd), plugin source code, and log files. This information facilitates further attacks, including database compromise and potential privilege escalation.