CVE-2022-4298
Published: 02 January 2023
Summary
CVE-2022-4298 is a critical-severity an unspecified weakness vulnerability in Cedcommerce Wholesale Market. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2022-4298 is present in the Wholesale Market WordPress plugin before version 2.2.1. It consists of a missing authorization check together with absent validation of user-supplied input that is used to build a system path, resulting in the ability to download arbitrary files from the server.
Unauthenticated attackers can exploit the flaw remotely with no user interaction required. Successful exploitation grants read access to any file on the underlying server and carries a CVSS 3.1 score of 9.8, reflecting critical impact across confidentiality, integrity, and availability.
Public references published by WPScan identify the affected plugin versions and the conditions that permit the arbitrary file download. The current and peak EPSS values are both recorded at 0.5574.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51654
Vulnerability details
The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.