CVE-2019-15092

HIGH

Webtoffee WordPress Users & WooCommerce Customers Import Export <1....

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-15092. PoCs published by Javier Olmedo.

AI-analyzed exploit summary This exploit demonstrates a CSV injection vulnerability in the WordPress plugin 'Import Export WordPress Users' <= 1.3.1, allowing command execution when a malicious CSV file is opened by a privileged user. The payloads leverage formula injection to trigger remote code execution via PowerShell.

Description

The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.

Exploits (1)

exploitdb WORKING POC
by Javier Olmedo · textwebappsphp
https://www.exploit-db.com/exploits/47303

This exploit demonstrates a CSV injection vulnerability in the WordPress plugin 'Import Export WordPress Users' <= 1.3.1, allowing command execution when a malicious CSV file is opened by a privileged user. The payloads leverage formula injection to trigger remote code execution via PowerShell.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plugin Import Export WordPress Users <= 1.3.1
Auth required
Prerequisites: Subscriber-level access to modify user fields · Admin-level access to export CSV · Victim must open the exported CSV file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9704

Scores

CVSS v3 7.3
EPSS 0.0514
EPSS Percentile 91.3%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-1236
Status published
Products (1)
webtoffee/import_export_wordpress_users < 1.3.1
Published Aug 23, 2019
Tracked Since Feb 18, 2026