CVE-2022-4236: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-4236 affects the Welcart e-Commerce WordPress plugin versions before 2.8.5. The vulnerability was publicly disclosed on December 5, 2022, and involves an input validation issue that could allow authenticated users to access arbitrary files on the server. The affected plugin, also known as usc-e-shop, is an e-commerce solution for WordPress websites (WPScan).

The vulnerability stems from improper input validation in the AJAX action functionality. The plugin fails to properly validate user input before using it to output file content through an AJAX action that is accessible to any authenticated user. The vulnerability has been assigned a CVSS score of 7.7 (High) and is classified under CWE-552. It is also categorized under the OWASP Top 10 category A1: Injection (WPScan).

This vulnerability allows users with roles as low as subscriber to read arbitrary files on the server. This means that any authenticated user could potentially access sensitive server files, leading to unauthorized disclosure of confidential information (WPScan).

The vulnerability has been fixed in version 2.8.5 of the Welcart e-Commerce plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).