WordPress Plugin Vulnerabilities

Import CSV Files <= 1.0 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
import-csv-files
No known fix

References

CVE
CVE-2022-2146

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Benachi
Submitter
Benachi
Submitter twitter
teradch
Verified
Yes
WPVDB ID
adc1d752-331e-44af-b5dc-b463d56c2cb4

Timeline

Publicly Published
2022-06-21 (about 3 years ago)
Added
2022-06-21 (about 3 years ago)
Last Updated
2023-03-26 (about 2 years ago)

Other

Published
Title
Published
2025-03-11
Title
Lava Ajax Search <= 1.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-10-15
Title
ElementsReady Addons for Elementor < 6.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2021-07-11
Title
WPFront Notification Bar < 2.0.0.07176 - Authenticated Stored XSS
Published
2023-02-24
Title
asMember <= 1.5.4 - Admin+ Stored XSS
Published
2024-08-14
Title
ElementsKit Pro < 3.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting