WordPress Plugin Vulnerabilities
Affiliates Manager < 2.9.14 - Affiliate CSV Injection
Description
The plugin does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data
Proof of Concept
Register as an affiliate and put the following payload in the Firstname, Lastname or Company fields: =10+2+30 As admin, export the Affiliates as CSV (/wp-admin/admin.php?page=wpam-affiliates&tab=export_data) and open the CSV. The formula from the payload will be processed
Affects Plugins
References
CVE
Classification
Type
CSV INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
nhatnam
Submitter
nhatnam
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-16 (about 1 years ago)
Added
2022-08-16 (about 1 years ago)
Last Updated
2023-05-09 (about 1 years ago)