CVE-2022-2240

2022-07-2513:15:08

CWE-1236

WPScan

web.nvd.nist.gov

cve-2022-2240

request a quote

wordpress plugin

csv files

unauthenticated users

csv injection

nvd

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.003

Percentile

66.3%

JSON

The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it

Affected configurations

Nvd

Vulners

Node

emarketdesignrequest_a_quoteRange≤2.3.7wordpress

VendorProductVersionCPE
emarketdesignrequest_a_quote*cpe:2.3:a:emarketdesign:request_a_quote:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
emarketdesign	request_a_quote	*	cpe:2.3:a:emarketdesign:request_a_quote::::::wordpress::*

CNA Affected

[
  {
    "product": "Request a Quote",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "2.3.7",
        "status": "affected",
        "version": "2.3.7",
        "versionType": "custom"
      }
    ]
  }
]