CSV Injection Vulnerability in Advanced Order Export For WooCommerce Plugin by WordPress
CVE-2018-11525

7.8HIGH

Key Information:

Vendor

Wordpress
Status
Advanced Order Export
Vendor
CVE Published:
19 June 2018

What is CVE-2018-11525?

The Advanced Order Export For WooCommerce plugin for WordPress is susceptible to CSV Injection, which allows malicious actors to inject crafted CSV data. When this plugin processes CSV files, it fails to adequately sanitize user inputs, potentially enabling an attacker to execute arbitrary commands upon file download. This poses a significant security risk to users who might inadvertently open a compromised CSV file, leading to the exposure of sensitive data or unintended actions on the system.

References

https://www.exploit-db.com/exploits/44931/
exploitx_refsource_EXPLOIT-DB
https://wpvulndb.com/vulnerabilities/9096
x_refsource_MISC
https://wordpress.org/plugins/woo-order-export-lite/#deve...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.