← back
CVE-2022-4298

Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download

CVSS 9.8 CRITICALEPSS 1.8%
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.8EPSS 1.8%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
02 Jan 2023Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · Wholesale Market
public PoCs found1
cve_referencewpscan.com/vulnerability/7485ad23-6ea4-4018-88b1-174312a0a478unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/7485ad23-6ea4-4018-88b1-174312a0a478