Ultimate SMS Notifications for WooCommerce <= 1.4.1 - CSV Injection
CVE-2022-2429

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Ultimate Sms Notifications For WooCommerce
Vendor: CVE Published:; 6 September 2022

What is CVE-2022-2429?

The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing information like their First Name that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Affected Version(s)

Ultimate SMS Notifications for WooCommerce 1.4.1

References

https://www.wordfence.com/vulnerability-advisories/#CVE-2...

x_refsource_MISC

https://plugins.trac.wordpress.org/browser/ultimate-sms-n...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 6, 2022
Vulnerability Reserved
Jul 15, 2022

Credit

Zhouyuan Yang