Unrated severityNVD Advisory· Published Sep 6, 2022· Updated Jan 31, 2025

Ultimate SMS Notifications for WooCommerce <= 1.4.1 - CSV Injection

CVE-2022-2429

Description

The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing information like their First Name that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Affected products

Homescript/Ultimate Sms Notifications For Woocommercev5
Range: 1.4.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/ultimate-sms-notifications/trunk/README.txtmitrex_refsource_MISC
www.wordfence.com/vulnerability-advisories/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000