CVE-2022-2429

Name of the Vulnerable Software and Affected Versions Ultimate SMS Notifications for WooCommerce plugin for WordPress versions up to, and including, 1.4.1

Description The issue is related to a CSV Injection vulnerability in the 'Export Utility' functionality. This allows authenticated attackers, such as subscribers, to embed untrusted input into billing information, like the First Name, which can result in code execution when the exported CSV file is downloaded and opened on a local system with a vulnerable configuration. The vulnerability can be exploited by a remote attacker to perform cross-site scripting attacks.

Recommendations For versions up to, and including, 1.4.1, consider disabling the 'Export Utility' functionality until a patch is available to prevent exploitation. Restrict access to the billing information to minimize the risk of attackers embedding malicious input. As a temporary workaround, avoid using the 'Export Utility' feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.