WordPress Plugin Vulnerabilities

WP Users Exporter <= 1.4.2 - CSV Injection

Description

The plugin does not validate the data to be exported, which could allow subscribers to add payloads via their profile, which will be embed in the exported CSV and processed as a formula when opened

Affects Plugins

Plugin icon
wp-users-exporter
No known fix

References

CVE
CVE-2022-3026

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Zhouyuan Yang
Verified
No
WPVDB ID
65876fab-2e55-4db1-b83a-a6c4a6021443

Timeline

Publicly Published
2020-01-08 (about 6 years ago)
Added
2022-08-29 (about 3 years ago)
Last Updated
2022-08-29 (about 3 years ago)

Other

Published
Title
Published
2023-11-07
Title
1003 Mortgage Application < 1.80 - Improper Neutralization of Formula Elements in a CSV File
Published
2022-11-29
Title
WP CSV Exporter < 1.3.7 - CSV Injection
Published
2022-09-25
Title
Activity Log < 2.8.4 - CSV Injection
Published
2023-11-07
Title
Export Users Data CSV < 2.2 - Improper Neutralization of Formula Elements in a CSV File
Published
2024-06-06
Title
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection