Affiliates Manager < 2.9.14 – Affiliate CSV Injection | CVE 2022-2798 | Plugin Vulnerabilities

Description

The plugin does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data

Proof of Concept

Register as an affiliate and put the following payload in the Firstname, Lastname or Company fields: =10+2+30

As admin, export the Affiliates as CSV (/wp-admin/admin.php?page=wpam-affiliates&tab=export_data) and open the CSV. The formula from the payload will be processed

Affects Plugins

affiliates-manager

Fixed in 2.9.14

References

CVE

Classification

Type

CSV INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

nhatnam

Submitter

nhatnam

Submitter website

https://www.linkedin.com/in/nhat-nam-dinh-14a6a2208/

Verified

Yes

WPVDB ID

f169567d-c682-4abe-94df-a9d00be90edd

Timeline

Publicly Published

2022-08-16 (about 3 years ago)

Added

2022-08-16 (about 3 years ago)

Last Updated

2023-05-09 (about 2 years ago)

Other

Published

Title

Published

2020-01-08

Title

WP Users Exporter <= 1.4.2 - CSV Injection

Published

2022-10-27

Title

Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection

Published

2020-11-20

Title

Easy Registration Forms <= 2.0.6 - CSV Injection

Published

2021-01-25

Title

Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection

Published

2023-02-06

Title

Email Subscribers & Newsletters < 5.5.3 - Improper Neutralization of Formula Elements in a CSV File