Cyber Resilience

CVE-2022-4140

HighPublic PoC

Published: 02 January 2023

Published
02 January 2023
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3141 96.9th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4140 is a high-severity an unspecified weakness vulnerability in Welcart Welcart E-Commerce. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Welcart e-Commerce WordPress plugin before version 2.8.5 is affected by an arbitrary file read vulnerability. The plugin fails to validate user input prior to using it to retrieve and output file contents, directly exposing server-side files to remote access.

Unauthenticated attackers can exploit the flaw over the network with low attack complexity and no required privileges or user interaction. Successful exploitation grants read access to arbitrary files on the server, resulting in high confidentiality impact as reflected in the CVSS 7.5 score.

Advisories published by WPScan document the issue and identify the affected plugin versions, indicating that mitigation requires updating to Welcart e-Commerce 2.8.5 or later.

The EPSS score for this CVE rose materially from a low baseline to a peak of 0.7032 on 2025-12-18 before receding to the current value of 0.3141, signaling increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

welcart
welcart e-commerce
≤ 2.8.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References