Description
The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/50f70927-9677-4ba4-a388-0a41ed356523
Scores
CVSS v3
8.8
EPSS
0.0119
EPSS Percentile
63.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
exports_and_reports_project/exports_and_reports
< 0.9.2
Published
Jul 25, 2022
Tracked Since
Feb 18, 2026