CVE-2022-41840
Published: 18 November 2022
Summary
CVE-2022-41840 is a high-severity Path Traversal (CWE-22) vulnerability in Welcart Welcart E-Commerce. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-41840 is an unauthenticated directory traversal vulnerability, tracked under CWE-22, that affects the Welcart eCommerce plugin for WordPress at version 2.7.7 and earlier. The flaw received a CVSS 3.1 base score of 7.5, reflecting network-accessible attack vectors that require no authentication or user interaction and result in high confidentiality impact.
An unauthenticated attacker can send specially crafted requests to the vulnerable plugin to traverse directories and read arbitrary files on the server, exposing sensitive configuration data, credentials, or other restricted content without any prior access.
Public advisories published through Patchstack document the issue and point administrators to updated plugin releases that remediate the traversal flaw. The associated EPSS score reached a peak of 0.8356 before receding to its current value of 0.6574.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-45007
Vulnerability details
Unauth. Directory Traversal vulnerability in Welcart eCommerce plugin <= 2.7.7 on WordPress.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.