Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting

2022-04-1100:00:00

0x23.so

wpscan.com

0.001 Low

EPSS

Percentile

24.9%

JSON

The plugin does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues

PoC

As admin, import the below CSV file via Tools > Import and export users and customers (/wp-admin/tools.php?page=acui) user_login user_email display_name role

CPENameOperatorVersion
import-users-from-csv-with-metalt1.19.2.1

CPE	Name	Operator	Version
	import-users-from-csv-with-meta	lt	1.19.2.1

0.001 Low

EPSS

Percentile

24.9%

JSON

Related for WPVDB-ID:22FE68C4-8F47-491E-BE87-5E8E40535A82