PT-2022-14958 · WordPress · Import Csv Files

Benachi

Published

2022-07-17

Updated

2023-07-04

CVE-2022-2146

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Import CSV Files WordPress plugin version 1.0

Description The issue is related to the Import CSV Files WordPress plugin, which does not properly sanitise and escape imported data before outputting it back on a page. Additionally, it lacks a CSRF check when performing such actions, resulting in a Reflected Cross-Site Scripting issue.

Recommendations For version 1.0, consider disabling the import functionality until a patch is available to prevent potential exploitation. Restrict access to the plugin's functionality to minimize the risk of Reflected Cross-Site Scripting attacks. Avoid using the plugin for importing CSV files until the issue is resolved.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2022-2146

Affected Products

Import Csv Files

PT-2022-14958 · WordPress · Import Csv Files

CVE-2022-2146

Weakness Enumeration

Related Identifiers

Affected Products

References · 5