A critical vulnerability exists in the PhastPress plugin for WordPress, allowing unauthenticated attackers to read any file on the web server. By exploiting this flaw, an attacker could access highly sensitive information, such as the wp-config.php file containing database credentials, which could lead to a complete compromise of the website and its data.

The vulnerability is an Unauthenticated Arbitrary File Read caused by a null byte injection flaw. The plugin validates file extensions on a URL-decoded path but builds the final file system path using a different function that truncates the string at a null byte. An unauthenticated attacker can craft a special request for a sensitive file (e.g., wp-config.php), append a double URL-encoded null byte (%2500), and then add a permitted extension like .txt. The extension check passes, but the file path processing stops at the null byte, causing the server to read and return the contents of the sensitive wp-config.php file instead of the non-existent .txt file.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the ease of exploitation and the severity of its impact. Successful exploitation allows an attacker to read sensitive configuration files, most notably wp-config.php. This file contains the database username, password, and host, which an attacker can use to gain direct access to the website's database. The potential consequences include theft of all website data (including user information), data modification or deletion, and a complete site takeover, leading to significant reputational damage, financial loss, and potential regulatory fines.

Immediate Action: Immediately update the PhastPress plugin for WordPress to the latest patched version (greater than 3.7). After patching, thoroughly review web server access logs for any signs of past exploitation attempts.

Proactive Monitoring: System administrators should actively monitor web server logs (e.g., Apache, Nginx) for suspicious requests. Specifically, look for GET requests containing double URL-encoded null bytes (%2500) in the URI, especially those targeting sensitive files like wp-config.php, .htaccess, or other critical server configuration files.

Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:

• Implement a Web Application Firewall (WAF) with rules to detect and block requests containing null byte characters (%00 or %2500).
• Temporarily disable the PhastPress plugin until it can be safely updated.
• Enforce strict file permissions on the web server to ensure that critical files like wp-config.php are not readable by the web server process if possible, although this may impact site functionality.

Public Exploit Available: False

Given the critical severity (CVSS 9.8), the lack of authentication required for exploitation, and the high-value target of WordPress configuration files, this vulnerability poses an immediate and severe threat to affected organizations. We strongly recommend that all users of the PhastPress plugin apply the vendor-supplied patch immediately. Do not wait for evidence of active exploitation or for this CVE to be added to the CISA KEV list; the risk of a full site compromise is too high to delay action.