CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7514 – WordPress Comments Import & Export <= 2.3.7 - Authenticated (Author+) Arbitrary File Read via Directory Traversal
https://notcve.org/view.php?id=CVE-2024-7514
10 Oct 2024 — The WordPress Comments Import & Export plugin for WordPress is vulnerable to to arbitrary file read due to insufficient file path validation during the comments import process, in versions up to, and including, 2.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The issue was partially fixed in version 2.3.8 and fully fixed in 2.3.9 • https://github.com/RandomRobbieBF/CVE-2024-7514 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45370 – WordPress WordPress Comments Import & Export Plugin <= 2.3.1 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2022-45370
06 Feb 2023 — Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee WordPress Comments Import & Export.This issue affects WordPress Comments Import & Export: from n/a through 2.3.1. Neutralización inadecuada de elementos de fórmula en una vulnerabilidad de CSV File en WebToffee WordPress Comments Import & Export. Este problema afecta a WordPress Comments Import & Export: desde n/a hasta 2.3.1. The WordPress Comments Import & Export plugin for WordPress is vulnerable to CSV Injection... • https://patchstack.com/database/vulnerability/comments-import-export-woocommerce/wordpress-wordpress-comments-import-export-plugin-2-3-1-csv-injection?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-11526 – WordPress Comments Import & Export <= 2.0.4 - CSV Injection
https://notcve.org/view.php?id=CVE-2018-11526
19 Jun 2018 — The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection. El plugin "WordPress Comments Import Export" para WordPress (versiones 2.0.4 y anteriores) es vulnerable a una inyección de CSV. The WordPress Comments Import & Export plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 2.0.4 via the form fields. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code exec... • https://www.exploit-db.com/exploits/44940 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •