WordPress Plugin Vulnerabilities

Ultimate SMS Notifications for WooCommerce < 1.4.2 - CSV Injection

Description

The plugin does not validate the data to be exported, which could allow subscribers to add payloads via their billing information, which will be embed in the exported CSV and processed as a formula when opened

Affects Plugins

Plugin icon
ultimate-sms-notifications
Fixed in 1.4.2

References

CVE
CVE-2022-2429

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Zhouyuan Yang
Verified
No
WPVDB ID
a66b1c72-70c1-423f-be00-9aee77a71711

Timeline

Publicly Published
2020-12-18 (about 5 years ago)
Added
2022-08-29 (about 3 years ago)
Last Updated
2022-08-29 (about 3 years ago)

Other

Published
Title
Published
2022-08-17
Title
Mobile Events Manager < 1.4.8 - Admin+ CSV Injection
Published
2023-02-06
Title
Email Subscribers & Newsletters < 5.5.3 - Improper Neutralization of Formula Elements in a CSV File
Published
2022-05-18
Title
WP-CRM <= 1.2.1 - CSV Injection
Published
2022-10-27
Title
Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection
Published
2020-11-20
Title
Easy Registration Forms <= 2.0.6 - CSV Injection