CVE-2022-2268

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE...

Name Directory < 1.25.4 - Stored Cross-Site Scripting via CSRF

The plugin does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. PoC As admin, Import the following CSV...

PT-2022-15625 · WordPress · Import Any Xml/Csv File To Wordpress

Name of the Vulnerable Software and Affected Versions: Import any XML or CSV File to WordPress plugin versions prior to 3.6.8 Description: The issue allows high privilege users, such as admins, to upload arbitrary files, including PHP files, by accepting all zip files and automatically extracting...

WordPress Import any XML or CSV File to WordPress <= 3.6.7 - Authenticated Malicious File Upload vulnerability

Authenticated Malicious File Upload vulnerability discovered by yangkang in WordPress Import any XML or CSV File to WordPress versions = 3.6.7. Solution Update the WordPress Import any XML or CSV File to WordPress plugin to the latest available version at least 3.6.8...

WordPress WP Ultimate CSV Importer Cross-Site Request Forgery Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A server cross-site request...

WordPress Ultimate WooCommerce CSV Importer plugin cross-site scripting vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress Exports and Reports plugin <= 0.9.1 - Authenticated CSV Injection vulnerability

Authenticated CSV Injection vulnerability discovered by websafe2021 in WordPress Exports and Reports plugin versions = 0.9.1. Solution Update the WordPress Exports and Reports plugin to the latest available version at least 0.9.2...

WordPress Request a Quote plugin <= 2.3.7 - CSV Injection vulnerability

CSV Injection vulnerability discovered by Benachi in WordPress Request a Quote plugin versions = 2.3.7. Solution Deactivate and delete. This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary, pending a full review...

Request a Quote <= 2.3.7 - CSV Injection

The plugin does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it PoC On a page with a Quote Request form, upload the following CSV as an attachment: "First Name","Last...

Request a Quote <= 2.3.7 - CSV Injection

The plugin does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it On a page with a Quote Request form, upload the following CSV as an attachment: "First Name","Last...

Import any XML or CSV File to WordPress < 3.6.8 - Admin+ Arbitrary Code Execution

The plugin allows high privilege users such as admin to import zip archives containing PHP files, which could allow admin of multisite setup to perform RCE attacks...

WordPress Import any XML or CSV File to WordPress plugin <= 3.6.7 - Authenticated Arbitrary Code Execution vulnerability

Authenticated Arbitrary Code Execution vulnerability discovered by Universe Patchstack Alliance in WordPress Import any XML or CSV File to WordPress plugin versions = 3.6.7. Solution Update the WordPress Import any XML or CSV File to WordPress plugin to the latest available version at least 3.6.8...

CVE-2022-1470

The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

CVE-2022-1470

The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

Cross site scripting

The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

CVE-2022-1977 WP Ultimate CSV Importer < 6.5.3 - Admin+ Blind SSRF

The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks...

CVE-2022-1470 Ultimate WooCommerce CSV Importer <= 2.0 - Reflected Cross-Site Scripting

The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

CVE-2022-1470

Vulnerability summary: CVE-2022-1470 affects the WordPress plugin Ultimate WooCommerce CSV Importer (versions up to 2.0). The root cause is failure to sanitize and escape imported data before rendering it on the page, producing a Reflected Cross-Site Scripting vulnerability. Affected software: Wo...

WordPress plugin WP Ultimate CSV Importer 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A server cross-site request...

WordPress plugin Ultimate WooCommerce CSV Importer 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...