CVE-2022-2798

Published: Sep 16, 2022Modified: Jun 17, 2026

8.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.1 / Impact: 5.9

Source: NVD

Description

The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data

Affected (1)

Products: Wpaffiliatemanager: Affiliates Manager

Wpaffiliatemanager

1 product

Affiliates Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpaffiliatemanager Affiliates Manager	Before 2.9.14

Related CWEs

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

References (2)

https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.