WordPress Plugin Vulnerabilities

Members Import <= 1.4.2 - XSS via Imported CSV

Description

The plugin does not sanitise and escape imported CSV, which could allow attackers to perform Cross-Site Scripting attacks if they can make an admin import a malicious CSV file

Affects Plugins

Plugin icon
members-import
No known fix

References

CVE
CVE-2022-4663

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Saeed Alzahrani
Verified
No
WPVDB ID
4702df0c-f60c-4ef5-862b-3e40460ad9e8

Timeline

Publicly Published
2023-01-03 (about 3 years ago)
Added
2023-01-03 (about 3 years ago)
Last Updated
2023-01-03 (about 3 years ago)

Other

Published
Title
Published
2021-09-28
Title
Flat Preloader < 1.5.5 - Admin+ Stored Cross-Site Scripting
Published
2025-01-16
Title
MJ Contact us <= 5.2.3 - Reflected Cross-Site Scripting
Published
2025-08-01
Title
Qi Addons for Elementor < 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via TypeOut Text Widget
Published
2025-11-05
Title
Hotel Booking < 2.2.9 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2024-05-29
Title
WPB Elementor Addons < 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting