CVE-2022-2429

MEDIUM

Ultimate SMS Notifications for WooCommerce <1.4.1 - Code Injection

Title source: llm

Description

The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing information like their First Name that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

References (2)

[Third Party Advisory] https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2429

[Release Notes, Third Party Advisory] https://plugins.trac.wordpress.org/browser/ultimate-sms-notifications/trunk/README.txt?rev=2441845#L92

Scores

CVSS v3 6.5

EPSS 0.0082

EPSS Percentile 74.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-138 CWE-1236

Status published

Products (1)

ultimatesmsnotifications/ultimate_sms_notifications_for_woocommerce < 1.4.1

Published Sep 06, 2022

Tracked Since Feb 18, 2026