WordPress WordPress Comments Import & Export Plugin <= 2.3.1 is vulnerable to CSV Injection
CVE-2022-45370

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WordPress Comments Import & Export
Vendor: CVE Published:; 7 November 2023

Summary

A vulnerability exists in the WebToffee Comments Import & Export plugin for WordPress that allows for improper neutralization of formula elements in CSV files. An attacker could exploit this issue to inject malicious formulas, potentially leading to unauthorized access or other malicious outcomes. This affects versions prior to 2.3.1, emphasizing the need for users to update to the latest version to ensure their WordPress sites remain secure.

Affected Version(s)

WordPress Comments Import & Export <= 2.3.1

References

https://patchstack.com/database/vulnerability/comments-im...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 7, 2023
Vulnerability Reserved
Nov 14, 2022

Credit

Mika (Patchstack Alliance)