CVE-2022-4140
Published: 02 January 2023
Summary
CVE-2022-4140 is a high-severity an unspecified weakness vulnerability in Welcart Welcart E-Commerce. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Welcart e-Commerce WordPress plugin before version 2.8.5 is affected by an arbitrary file read vulnerability. The plugin fails to validate user input prior to using it to retrieve and output file contents, directly exposing server-side files to remote access.
Unauthenticated attackers can exploit the flaw over the network with low attack complexity and no required privileges or user interaction. Successful exploitation grants read access to arbitrary files on the server, resulting in high confidentiality impact as reflected in the CVSS 7.5 score.
Advisories published by WPScan document the issue and identify the affected plugin versions, indicating that mitigation requires updating to Welcart e-Commerce 2.8.5 or later.
The EPSS score for this CVE rose materially from a low baseline to a peak of 0.7032 on 2025-12-18 before receding to the current value of 0.3141, signaling increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51502
Vulnerability details
The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.