CVE-2022-4298 — Path Traversal in Wholesale Market

CWE-22 — Path Traversal CWE-664 — Improper Control of a Resource Through its Lifetime4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

55.7%

top 1.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cedcommerce Wholesale Market

Timeline

PublishedJan 2

Latest updateJan 3

Description

The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDcedcommerce/wholesale_market< 2.2.1

🔴Vulnerability Details

GHSA

GHSA-r9x2-m498-v92q: The Wholesale Market WordPress plugin before 2↗2023-01-03

▶

CVEList

Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download↗2023-01-02

▶

📋Vendor Advisories

Juniper

CVE-2022-22249: An Improper Control of a Resource Through its Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series a↗2022-10-18

▶