CVE-2026-5335

The CVE-2026-5335 affects the Magic Export & Import WordPress plugin (versions before 1.2.0). The root cause is that exported CSV files are stored at a publicly accessible location, enabling unauthenticated disclosure of sensitive user information. Affected component is the export/import facility...

CVE-2026-2696

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

CVE-2026-2696 Export All URLs < 5.1 - Unauthenticated Sensitive Data Exposure

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

Discourse 安全漏洞

Discourse is an open-source community discussion platform developed by Discourse. This platform includes features such as communities, email communication, and chat rooms. Versions of Discourse before 2025.12.2, 2026.1.1, and 2026.2.0 have security vulnerabilities. These vulnerabilities stem from...

CVE-2025-14442

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions up to, and including, 4.9.2. This makes it possible for...

EUVD-2025-203073

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions up to, and including, 4.9.2. This makes it possible for...

CVE-2025-14442 Secure Copy Content Protection and Content Locking <= 4.9.2 - Unauthenticated Sensitive Information Exposure via Exposed CSV Export File

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions up to, and including, 4.9.2. This makes it possible for...

CVE-2025-11576 AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant <= 1.6.5 - Unauthenticated CSV Injection

The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebytechatbotexportmessages' function. This makes it possible for...

CVE-2025-60852

CVE-2025-60852 is a CSV Injection vulnerability in Instant Developer Foundation before 25.0.9600. The root cause is insufficient sanitization of user-controlled input when generating CSV exports, allowing untrusted content to be included in the exported file. This can lead to code execution on th...

CVE-2025-60852

A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code execution on the system...

CVE-2022-1194

The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability...

Input validation

CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components...

CVE-2024-24337

CVE-2024-24337 affects Koha Library Management System

PT-2022-22908 · WordPress · Export/Import Users/Customers

Name of the Vulnerable Software and Affected Versions: Import and export users and customers WordPress plugin versions prior to 1.20.5 Description: The issue concerns the improper escaping of data when exporting it via CSV files. This could potentially lead to security issues, although specific...

CVE-2022-1194

The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability...

CVE-2021-41128

Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports Statistics & BAG MED contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get...

Input validation

Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports Statistics & BAG MED contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get...

CVE-2018-10257

A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution...

WordPress WordCamp Talks plugin <= 1.0.0-beta2 - Formula injection via CSV exports

The WordCamp Talks plugin does not sanitize CSV exports properly, which can lead to spreadsheet formula injection via malicious user input. Solution Update the plugin...

WordCamp Talks <= 1.0.0-beta2 - Formula injection via CSV exports

Fixed in version 1.0.0-beta3...