Description
WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the open parameter. Attackers can supply file paths through the open GET parameter in dispatcher.php to include and read sensitive files accessible to the web server.
Published: 2026-05-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can supply arbitrary file paths through the open GET parameter in dispatcher.php, enabling the plugin to include and read any file accessible to the web server. This flaw stems from insufficient input validation, allowing a local file read that can expose configuration files, credentials, and other sensitive data, thereby compromising confidentiality.

Affected Systems

The vulnerability resides in WordPress plugin amministrazione-aperta version 3.7.3. WordPress sites that have installed this specific plugin version are affected; newer releases of the plugin are not known to contain the flaw.

Risk and Exploitability

The CVSS score of 6.9 signals a moderate severity. The EPSS score is unavailable, but the vulnerability is publicly documented and not listed in CISA’s KEV catalog. An attacker only needs to construct a URL with the open parameter pointing to a desired file, can do so without authentication, and read the targeted file, thus exposing sensitive data but not achieving code execution or broader system compromise.

Generated by OpenCVE AI on May 10, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the amministrazione-aperta plugin to the latest release that fixes the local file read vulnerability or replace it with a trusted alternative.
  • If an upgrade is not immediately possible, temporarily disable or remove the plugin to prevent unauthenticated access to the vulnerable endpoint.
  • Implement stricter input validation for the open parameter—whitelist allowable file paths or add a check that restricts file access to a safe subset, thereby eliminating insecure direct object references.

Generated by OpenCVE AI on May 10, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Amministrazione Aperta Project
Amministrazione Aperta Project amministrazione Aperta
Wordpress
Wordpress wordpress
Vendors & Products Amministrazione Aperta Project
Amministrazione Aperta Project amministrazione Aperta
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the open parameter. Attackers can supply file paths through the open GET parameter in dispatcher.php to include and read sensitive files accessible to the web server.
Title WordPress Plugin amministrazione-aperta 3.7.3 Local File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Amministrazione Aperta Project Amministrazione Aperta
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T15:10:46.068Z

Reserved: 2026-01-11T13:34:26.332Z

Link: CVE-2022-50956

cve-icon Vulnrichment

Updated: 2026-05-11T15:10:41.951Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:33.180

Modified: 2026-05-10T13:16:33.180

Link: CVE-2022-50956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T20:00:05Z

Weaknesses