CVE-2019-15092

Import Export WordPress Users and WooCommerce Customers <= 1.3.1 - CSV Injection

Severity Score

7.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.

El plugin webtoffee "Usuarios de WordPress y clientes de WooCommerce Import Export Export" 1.3.0 para WordPress permite la inyección de CSV en las columnas user_url, display_name, first_name y last_name en un archivo CSV exportado creado por la clase WF_CustomerImpExpCsv_Exporter.

The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.1 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.

WordPress Import Export WordPress Users plugin version 1.3.1 suffers from a CSV injection vulnerability.

*Credits: Javier Olmedo

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-08-22 CVE Published
2019-08-15 CVE Reserved
2019-08-26 First Exploit
2024-08-05 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-1236: Improper Neutralization of Formula Elements in a CSV File

CAPEC

References (4)

URL	Tag	Source
https://wpvulndb.com/vulnerabilities/9704	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/47303	2019-08-26
http://packetstormsecurity.com/files/154203/WordPress-Import-Export-WordPress-Users-1.3.1-CSV-Injection.html	2024-08-05
https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Webtoffee Search vendor "Webtoffee"		Import Export Wordpress Users Search vendor "Webtoffee" for product "Import Export Wordpress Users"				<= 1.3.1 Search vendor "Webtoffee" for product "Import Export Wordpress Users" and version " <= 1.3.1"		wordpress		Affected