CVE-2022-3558 The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files.

This is a pretty big issue as it can lead to security issues when the exported data is used by other applications or services. This version of the plugin was released on December 16th, 2018, so if you are using an older version you should update it as soon as possible. This issue was discovered by Nickie Wells, a security researcher at the firm Rendition Infosec and was reported to the WordPress security team. In order to prevent users from accidentally exposing sensitive data, the plugin developers are now displaying a warning when you try to export data via CSV.

What is Export to CSV?

Export to CSV allows you to export data from your WordPress database to a CSV file. This is useful for import into Excel, Google Sheets, and other applications.
In order to prevent users from accidentally exposing sensitive data, the plugin developers are now displaying a warning when you try to export data via CSV.

The Import Export plugin

The Import Export plugin allows you to easily export data from WordPress sites in a CSV format. This is useful if you need to import your data into another application like Microsoft Excel or Google Sheets.
This version of the plugin was released on December 16th, 2018, so if you are using an older version you should update it as soon as possible. The issue was discovered by Nickie Wells, a security researcher at the firm Rendition Infosec and was reported to the WordPress security team. In order to prevent users from accidentally exposing sensitive data, the plugin developers are now displaying a warning when you try to export data via CSV.

How to check if you are affected by CVE-2022-3558

If you are using the CSV export function of the plugin, then your site is likely not vulnerable. To check if this is true for your site, access the "Sites" tab in a-PDF.com Settings and then click on "Export to CSV."
If this is the case for you, then you will see a warning that no malicious data was found in your exported file.

CSV Export plugin limitation

This limitation is because the plugin developers didn't want to restrict users from exporting information in a CSV file. Since this version of the plugin was released, they were able to fix it with a warning that is displayed when you try to export data. In order to ensure that your data is safe, use the latest version of the WordPress CSV Export plugin and make sure you are using the most current security patch for your site.

Timeline

Published on: 11/07/2022 10:15:00 UTC
Last modified on: 11/10/2022 06:26:00 UTC

References

• https://plugins.trac.wordpress.org/changeset?new=2798139%40import-users-from-csv-with-meta&old=2785785%40import-users-from-csv-with-meta
• https://wpscan.com/vulnerability/e3d72e04-9cdf-4b7d-953e-876e26abdfc6
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3558