Smackcoders: Security Vulnerabilities
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Information Exposure via Directory Listing due to missing restriction in export folder indexing in versions up to, and including, 7.9.8. This makes it possible for unauthenticated attackers to list and view exported files.
CVSS Score
7.5
EPSS Score
0.006
Published
2023-08-04
The Visual Email Designer for WooCommerce WordPress plugin before 1.7.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author.
CVSS Score
8.8
EPSS Score
0.003
Published
2023-01-02
The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin
CVSS Score
7.2
EPSS Score
0.003
Published
2022-10-17
The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce
CVSS Score
4.2
EPSS Score
0.001
Published
2022-10-17
The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks
CVSS Score
7.2
EPSS Score
0.007
Published
2022-06-27
The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues
CVSS Score
4.8
EPSS Score
0.002
Published
2022-02-28
The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL injection via the export_type_name parameter.
CVSS Score
9.8
EPSS Score
0.005
Published
2019-09-20
The echosign plugin before 1.2 for WordPress has XSS via the inc.php page parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-09-17
The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-09-17
The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-08-14