CVE-2022-4663

Name of the Vulnerable Software and Affected Versions Members Import plugin for WordPress versions up to, and including, 1.4.2

Description The issue is related to Self Cross-Site Scripting via the user login parameter in an imported CSV file due to insufficient input sanitization and output escaping. This allows attackers to inject arbitrary web scripts in pages that execute if they can trick a site's administrator into uploading a CSV file with the malicious payload.

Recommendations For versions up to, and including, 1.4.2, consider disabling the import functionality of the Members Import plugin until a patch is available, and restrict access to uploading CSV files to minimize the risk of exploitation. As a temporary workaround, avoid using the user login parameter in imported CSV files until the issue is resolved.