CSV Injection Vulnerability in Hustle Plugin for WordPress
CVE-2019-11872

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Hustle
Vendor
CVE Published:
29 May 2019

Summary

The Hustle plugin version 6.0.7 for WordPress is susceptible to CSV Injection, allowing attackers to inject harmful code into pop-up windows. This vulnerability arises because the plugin fails to properly sanitize user input, enabling the insertion of arbitrary text. If exploited, an attacker could leverage this flaw to execute malicious code on the administrator's machine through Excel functions, posing a significant risk to the security of the WordPress site.

References

https://wordpress.org/plugins/wordpress-popup/#developers
x_refsource_MISC
https://blog.reddy.io/category/cybersecurity/
x_refsource_MISC
https://blog.reddy.io/2019/05/24/reddy-solutions-found-a-...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.