CVE-2022-4108: 
WordPress vulnerability analysis and mitigation

The Wholesale Market for WooCommerce WordPress plugin versions before 1.0.8 contains a file download vulnerability identified as CVE-2022-4108. The vulnerability was publicly disclosed on November 28, 2022, and affects the plugin's file handling functionality. The issue allows high-privilege users such as administrators to download arbitrary files from the server, even in scenarios where such access should be restricted, such as in multisite installations (WPScan Advisory).

The vulnerability stems from insufficient validation of user input used to generate system paths. The issue has been assigned a CVSS v3.1 base score of 4.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-552 and falls into the OWASP Top 10 category A1: Injection (NVD Database, WPScan Advisory).

When exploited, this vulnerability allows authenticated administrators to download arbitrary files from the server filesystem, potentially exposing sensitive configuration files and other critical system information. This is particularly concerning in multisite WordPress installations where such access should be restricted (WPScan Advisory).

The vulnerability has been patched in version 1.0.8 of the Wholesale Market for WooCommerce plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk (WPScan Advisory).