WordPress Plugin Vulnerabilities

Affiliates Manager < 2.9.14 - Affiliate CSV Injection

Description

The plugin does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data

Proof of Concept

Register as an affiliate and put the following payload in the Firstname, Lastname or Company fields: =10+2+30

As admin, export the Affiliates as CSV (/wp-admin/admin.php?page=wpam-affiliates&tab=export_data) and open the CSV. The formula from the payload will be processed

Affects Plugins

Plugin icon
affiliates-manager
Fixed in 2.9.14

References

CVE
CVE-2022-2798

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
nhatnam
Submitter
nhatnam
Submitter website
https://www.linkedin.com/in/nhat-nam-dinh-14a6a2208/
Verified
Yes
WPVDB ID
f169567d-c682-4abe-94df-a9d00be90edd

Timeline

Publicly Published
2022-08-16 (about 1 years ago)
Added
2022-08-16 (about 1 years ago)
Last Updated
2023-05-09 (about 1 years ago)

Other

Published
Title
Published
2023-06-08
Title
Metform Elementor Contact Form Builder < 3.3.1 - Unauthenticated CSV Injection
Published
2023-11-07
Title
Export Users Data CSV < 2.2 - Improper Neutralization of Formula Elements in a CSV File
Published
2022-10-27
Title
Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection
Published
2022-09-28
Title
Easy Digital Downloads < 3.1.0.2 - Unauthenticated CSV Injection
Published
2023-02-06
Title
Email Subscribers & Newsletters < 5.5.3 - Improper Neutralization of Formula Elements in a CSV File