CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47442 – WordPress UsersWP Plugin <= 1.2.3.9 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2022-47442
Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9. Neutralización inadecuada de elementos de fórmula en una vulnerabilidad de CSV File en AyeCode Ltd UsersWP. Este problema afecta a UsersWP: desde n/a hasta 1.2.3.9. The UsersWP plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.2.3.9 via the process_users_export function. This allows administrator-level attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-3-9-csv-injection?_s_id=cve • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0442 – UsersWP < 1.2.3.1 - Subscriber+ User Avatar Override
https://notcve.org/view.php?id=CVE-2022-0442
The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. El plugin UsersWP de WordPress versiones anteriores a 1.2.3.1, no presenta controles de acceso cuando es actualizada el avatar de un usuario, y no es asegurado de que los nombres de los archivos de los avatares de los usuarios sean únicos, permitiendo a un usuario conectado sobrescribir el avatar de otro usuario • https://wpscan.com/vulnerability/9cf0822a-c9d6-4ebc-b905-95b143d1a692 • CWE-639: Authorization Bypass Through User-Controlled Key •