CVE-2022-4106

2022-12-1914:15:12

CWE-552

[email protected]

web.nvd.nist.gov

cve-2022-4106

woocommerce

wordpress

plugin

security

vulnerability

authorization check

file download

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

60.1%

JSON

The Wholesale Market for WooCommerce WordPress plugin before 1.0.7 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.

Affected configurations

Vulners

NVD

Node

cedcommercewholesale_market_for_woocommerceRange<1.0.7

VendorProductVersionCPE
cedcommercewholesale_market_for_woocommerce*cpe:2.3:a:cedcommerce:wholesale_market_for_woocommerce:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cedcommerce	wholesale_market_for_woocommerce	*	cpe:2.3:a:cedcommerce:wholesale_market_for_woocommerce::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Wholesale Market for WooCommerce",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.0.7"
      }
    ],
    "defaultStatus": "unaffected"
  }
]