CVE-2022-1539 Exports and Reports < 0.9.2 - Contributor+ CSV Injection

2022-07-2512:46:03

CWE-1236

WPScan

www.cve.org

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.9%

JSON

The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.

CNA Affected

[
  {
    "product": "Exports and Reports",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "0.9.2",
        "status": "affected",
        "version": "0.9.2",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/50f70927-9677-4ba4-a388-0a41ed356523