CVE-2022-4047
Published: 26 December 2022
Summary
CVE-2022-4047 is a critical-severity an unspecified weakness vulnerability in Wpswings Return Refund And Exchange For Woocommerce. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Return Refund and Exchange For WooCommerce WordPress plugin before version 4.0.9 contains an input validation flaw in an AJAX file-upload action. The component fails to restrict the types of attachments that can be supplied, allowing arbitrary files such as PHP scripts to be written to the server and subsequently executed.
Unauthenticated remote attackers can invoke the exposed AJAX endpoint to upload and execute malicious payloads, resulting in full remote code execution on the underlying web server with the privileges of the web-service account.
The associated EPSS score rose from lower values after disclosure to a peak of 0.8354 on 2025-12-11 before receding to the current 0.7330, indicating a clear increase in observed exploitation interest that merits renewed defensive focus. Detailed vulnerability information is published on WPScan.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51424
Vulnerability details
The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead…
more
to RCE
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.