CVE-2022-4108

2022-12-1914:15:12

[email protected]

web.nvd.nist.gov

wholesale market

woocommerce

wordpress

cve-2022-4108

vulnerability

user input

system path

high privilege users

admin

arbitrary file

multisite

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

29.8%

JSON

The Wholesale Market for WooCommerce WordPress plugin before 1.0.8 does not validate user input used to generate system path, allowing high privilege users such as admin to download arbitrary file from the server even when they should not be able to (for example in multisite)