CVE-2022-3762: 
WordPress vulnerability analysis and mitigation

CVE-2022-3762 is a security vulnerability affecting multiple WooCommerce plugins including Booster for WooCommerce, Booster Plus for WooCommerce, and Booster Elite for WooCommerce. The vulnerability was discovered and publicly disclosed on October 31, 2022. It affects the file download functionality in these plugins, specifically impacting versions prior to 5.6.7 for woocommerce-jetpack, 5.6.5 for booster-plus-for-woocommerce, and 1.1.7 for booster-elite-for-woocommerce (WPScan).

The vulnerability is classified as a path traversal (CWE-22) with a CVSS score of 5.8 (medium severity). The issue stems from insufficient validation of file downloads in certain modules, particularly in the 'Checkout File Upload' and 'Product Init Fields' modules. This vulnerability falls under the OWASP Top 10 category A1: Injection (WPScan).

When exploited, this vulnerability allows authenticated users with Shop Manager or Admin privileges to download arbitrary files from the server, including sensitive system files such as wp-config.php and /etc/passwd. This capability extends beyond their intended permissions, particularly in multisite installations (WPScan).

The vulnerability has been patched in multiple versions of the affected plugins. Users should upgrade to woocommerce-jetpack version 5.6.7, booster-plus-for-woocommerce version 5.6.5, or booster-elite-for-woocommerce version 1.1.7 or later to mitigate this vulnerability (WPScan).