Cyber Resilience

CVE-2022-4047

CriticalPublic PoC

Published: 26 December 2022

Published
26 December 2022
Modified
14 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7330 98.8th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4047 is a critical-severity an unspecified weakness vulnerability in Wpswings Return Refund And Exchange For Woocommerce. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Return Refund and Exchange For WooCommerce WordPress plugin before version 4.0.9 contains an input validation flaw in an AJAX file-upload action. The component fails to restrict the types of attachments that can be supplied, allowing arbitrary files such as PHP scripts to be written to the server and subsequently executed.

Unauthenticated remote attackers can invoke the exposed AJAX endpoint to upload and execute malicious payloads, resulting in full remote code execution on the underlying web server with the privileges of the web-service account.

The associated EPSS score rose from lower values after disclosure to a peak of 0.8354 on 2025-12-11 before receding to the current 0.7330, indicating a clear increase in observed exploitation interest that merits renewed defensive focus. Detailed vulnerability information is published on WPScan.

EU & UK References

Vulnerability details

The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead…

more

to RCE

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpswings
return refund and exchange for woocommerce
≤ 4.0.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References