CVE-2022-33901: 
WordPress vulnerability analysis and mitigation

An Unauthenticated Arbitrary File Read vulnerability was discovered in the MultiSafepay plugin for WooCommerce versions 4.13.1 and below for WordPress. The vulnerability was assigned CVE-2022-33901 and was disclosed on July 18, 2022. The issue affects the MultiSafepay plugin for WooCommerce up to version 4.15.0 (Patchstack Advisory).

The vulnerability is classified as a Directory Traversal issue, which could allow unauthorized users to read arbitrary files on the system. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) according to NVD, while Patchstack assigned it a CVSS score of 5.3 (MEDIUM). The vulnerability is tracked under CWE-552 (Files or Directories Accessible to External Parties) (NVD).

This vulnerability could allow malicious actors to view all files in a given directory or determine if certain files/directories exist in a given folder. This access could potentially be used to exploit other weaknesses in the system. The vulnerability poses a moderate risk and is expected to become exploited (Patchstack Advisory).

The vulnerability has been fixed in version 4.16.0 of the MultiSafepay plugin for WooCommerce. Users are advised to update to this version or later to remove the vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack Advisory).