PT-2019-13982 · Webtoffee · Webtoffee Wordpress Users & Woocommerce Customers Import Export

Published

2019-08-22

Updated

2020-08-24

CVE-2019-15092

CVSS v3.1

7.3

High

Vector

AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions webtoffee WordPress Users & WooCommerce Customers Import Export plugin version 1.3.0

Description The issue allows CSV injection in the user url, display name, first name, and last name columns in an exported CSV file created by the WF CustomerImpExpCsv Exporter class.

Recommendations For version 1.3.0, consider avoiding the use of the WF CustomerImpExpCsv Exporter class until a patch is available. As a temporary workaround, restrict the export functionality to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2019-15092

Affected Products

Webtoffee Wordpress Users & Woocommerce Customers Import Export

PT-2019-13982 · Webtoffee · Webtoffee Wordpress Users & Woocommerce Customers Import Export

CVE-2019-15092

Weakness Enumeration

Related Identifiers

Affected Products

References · 8