CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3558 – Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection
https://notcve.org/view.php?id=CVE-2022-3558
The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files. El complemento de WordPress para importar y exportar usuarios y clientes anteriores a 1.20.5 no escapa correctamente los datos al exportarlos a través de archivos CSV. The Import and export users and customers plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.20.4. This allows subscriber-level attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://plugins.trac.wordpress.org/changeset?new=2798139%40import-users-from-csv-with-meta&old=2785785%40import-users-from-csv-with-meta https://wpscan.com/vulnerability/e3d72e04-9cdf-4b7d-953e-876e26abdfc6 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1255 – Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1255
The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues El plugin Import and export users and customers de WordPress versiones anteriores a 1.19.2.1, no sanea ni escapa los datos CSV importados, lo que podría permitir a usuarios muy privilegiados importar código javascript malicioso y conllevar a problemas de tipo Cross-Site Scripting Almacenado The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitize and escape imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues • https://wpscan.com/vulnerability/22fe68c4-8f47-491e-be87-5e8e40535a82 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 2CVE-2020-22277 – Import and export users and customers <= 1.16.3.5 - CSV injection via a customer's profile
https://notcve.org/view.php?id=CVE-2020-22277
Import and export users and customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer's profile. Import and export users and customers WordPress Plugin versiones hasta 1.15.5.11, permite una inyección CSV por medio del perfil de un cliente Import and export users and customers WordPress Plugin through 1.16.3.5 allows CSV injection via a customer's profile. • https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22277.pdf https://mega.nz/file/bSQnlS4R#UY_ozLkvXgXFKzqtTRKeB9RXGi6aEQF3X6eKXdSiBt0 https://wordpress.org/plugins/import-users-from-csv-with-meta/#:~:text=Install%20Import%20and%20export%20users%20and%20customers%20automatically%2Cis%20uploaded%20and%20extracted%2C%20click%20Activate%20Plugin%20. • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •