PT-2019-13982 · Webtoffee · Webtoffee Wordpress Users & Woocommerce Customers Import Export

Publicado

2019-08-22

Atualizado

2020-08-24

CVE-2019-15092

CVSS v3.1

7.3

Alta

Vetor

AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions webtoffee WordPress Users & WooCommerce Customers Import Export plugin version 1.3.0

Description The issue allows CSV injection in the user url, display name, first name, and last name columns in an exported CSV file created by the WF CustomerImpExpCsv Exporter class.

Recommendations For version 1.3.0, consider avoiding the use of the WF CustomerImpExpCsv Exporter class until a patch is available. As a temporary workaround, restrict the export functionality to minimize the risk of exploitation.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1236

Identificadores relacionados

CVE-2019-15092

Produtos afetados

Webtoffee Wordpress Users & Woocommerce Customers Import Export

PT-2019-13982 · Webtoffee · Webtoffee Wordpress Users & Woocommerce Customers Import Export

CVE-2019-15092

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8