CVE-2022-2429
moderate-risk
Published 2022-09-06
The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing information like their First Name that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Do I need to act?
-
0.82% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Ultimate Sms Notifications For Woocommerce
Affected Vendors
References (4)
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2429
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2429
32
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
3/34 · Minimal
Exposure
5/34 · Minimal