Vulnerabilities > CVE-2019-15092 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Webtoffee Import Export Wordpress Users

CVSS 7.3 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

webtoffee

CWE-1236

exploit available

NVD

Published: 2019-08-23

Updated: 2020-08-24

Summary

The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.

Vulnerable Configurations

Part	Description	Count
Application	Webtoffee Webtoffee Import Export Wordpress Users - Webtoffee Import Export Wordpress Users 1.0.0 Webtoffee Import Export Wordpress Users 1.0.1 Webtoffee Import Export Wordpress Users 1.0.2 Webtoffee Import Export Wordpress Users 1.0.3 Webtoffee Import Export Wordpress Users 1.0.4 Webtoffee Import Export Wordpress Users 1.0.5 Webtoffee Import Export Wordpress Users 1.0.6 Webtoffee Import Export Wordpress Users 1.0.7 Webtoffee Import Export Wordpress Users 1.0.8 Webtoffee Import Export Wordpress Users 1.0.9 Webtoffee Import Export Wordpress Users 1.1.0 Webtoffee Import Export Wordpress Users 1.1.1 Webtoffee Import Export Wordpress Users 1.1.2 Webtoffee Import Export Wordpress Users 1.1.3 Webtoffee Import Export Wordpress Users 1.1.4 Webtoffee Import Export Wordpress Users 1.1.5 Webtoffee Import Export Wordpress Users 1.1.6 Webtoffee Import Export Wordpress Users 1.1.7 Webtoffee Import Export Wordpress Users 1.1.8 Webtoffee Import Export Wordpress Users 1.1.9 Webtoffee Import Export Wordpress Users 1.2.0 Webtoffee Import Export Wordpress Users 1.2.1 Webtoffee Import Export Wordpress Users 1.2.2 Webtoffee Import Export Wordpress Users 1.2.3 Webtoffee Import Export Wordpress Users 1.2.4 Webtoffee Import Export Wordpress Users 1.2.5 Webtoffee Import Export Wordpress Users 1.2.6 Webtoffee Import Export Wordpress Users 1.2.7 Webtoffee Import Export Wordpress Users 1.2.8 Webtoffee Import Export Wordpress Users 1.2.9 Webtoffee Import Export Wordpress Users 1.3.1	32

Common Weakness Enumeration (CWE)

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

Exploit-Db

id	EDB-ID:47303
last seen	2019-08-26
modified	2019-08-26
published	2019-08-26
reporter	Exploit-DB
source	https://www.exploit-db.com/download/47303
title	WordPress Plugin Import Export WordPress Users 1.3.1 - CSV Injection

Packetstorm

data source	https://packetstormsecurity.com/files/download/154203/wpimportexportwpusers131-csvinject.txt
id	PACKETSTORM:154203
last seen	2019-08-26
published	2019-08-23
reporter	Javier Olmedo
source	https://packetstormsecurity.com/files/154203/WordPress-Import-Export-WordPress-Users-1.3.1-CSV-Injection.html
title	WordPress Import Export WordPress Users 1.3.1 CSV Injection

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References