The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:18
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/wp-users-exporter/trunk/A_UserExporter.class.php - Exploit, Third Party Advisory | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/7da1d7cf-e8b5-4b7c-bdc1-13ef8c11b663?source=cve - | |
References | () https://www.wordfence.com/vulnerability-advisories/#CVE-2022-3026 - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
09 Sep 2022, 02:32
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:wp-users-exporter_project:wp-users-exporter:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
CWE | CWE-1236 | |
References | (MISC) https://www.wordfence.com/vulnerability-advisories/#CVE-2022-3026 - Third Party Advisory | |
References | (MISC) https://plugins.trac.wordpress.org/browser/wp-users-exporter/trunk/A_UserExporter.class.php - Exploit, Third Party Advisory |
06 Sep 2022, 18:50
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-06 18:15
Updated : 2024-11-21 07:18
NVD link : CVE-2022-3026
Mitre link : CVE-2022-3026
CVE.ORG link : CVE-2022-3026
JSON object : View
Products Affected
wp-users-exporter_project
- wp-users-exporter
CWE
CWE-1236
Improper Neutralization of Formula Elements in a CSV File