CVE-2019-11872
Hustle <= 6.0.7 - Unauthenticated CSV Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text.
El complemento de Hustle (conocido como wordpress-popup) versión 6.0.7 para WordPress es vulnerable a la inyección de CSV, ya que permite inyectar códigos maliciosos en una ventana emergente. La explotación exitosa concede a un atacante el derecho de ejecutar códigos maliciosos en la computadora del administrador mediante funciones de Excel, ya que el complemento no realiza el saneamiento de la entrada del usuario y permite la inserción de cualquier texto.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-05-09 CVE Reserved
- 2019-05-24 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-10-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-1236: Improper Neutralization of Formula Elements in a CSV File
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://wordpress.org/plugins/wordpress-popup/#developers | Release Notes | |
| https://wpvulndb.com/vulnerabilities/9326 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://blog.reddy.io/2019/05/24/reddy-solutions-found-a-csv-injection-vulnerability-in-hustle-wordpress-plugin | 2024-08-04 | |
| https://blog.reddy.io/category/cybersecurity | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|