Improper Neutralization of Formula Elements in a CSV File
CVE-2022-2798
Summary
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data
- LOW
- NETWORK
- HIGH
- UNCHANGED
- REQUIRED
- LOW
- HIGH
- HIGH
CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.
References
Advisory Timeline
- Published