Cyber Resilience

CVE-2022-4298

CriticalPublic PoC

Published: 02 January 2023

Published
02 January 2023
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5574 98.1th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4298 is a critical-severity an unspecified weakness vulnerability in Cedcommerce Wholesale Market. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2022-4298 is present in the Wholesale Market WordPress plugin before version 2.2.1. It consists of a missing authorization check together with absent validation of user-supplied input that is used to build a system path, resulting in the ability to download arbitrary files from the server.

Unauthenticated attackers can exploit the flaw remotely with no user interaction required. Successful exploitation grants read access to any file on the underlying server and carries a CVSS 3.1 score of 9.8, reflecting critical impact across confidentiality, integrity, and availability.

Public references published by WPScan identify the affected plugin versions and the conditions that permit the arbitrary file download. The current and peak EPSS values are both recorded at 0.5574.

EU & UK References

Vulnerability details

The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cedcommerce
wholesale market
≤ 2.2.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References