CVE-2019-15092 Information
Description
The webtoffee \WordPress Users & WooCommerce Customers Import Export\ plugin 1.3.0 for WordPress allows CSV injection in the user_url display_name first_name and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Reference
http://packetstormsecurity.com/files/154203/WordPress-Import-Export-WordPress-Users-1.3.1-CSV-Injection.html
https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection/
https://wpvulndb.com/vulnerabilities/9704
The
webtoffee
\WordPress
Users
&
WooCommerce
Customers
Import
Export
plugin
1.3.0
for
WordPress
allows
CSV
injection
in
the
user_url
display_name
first_name
and
last_name
columns
in
an
exported
CSV
file
created
by
the
WF_CustomerImpExpCsv_Exporter
class.
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
REQUIRED
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
7.3
Share on: