Clarification on CSV Injection Vulnerability Patch Status

  • Resolved iugoau

    (@iugoau)


    11 months, 2 weeks ago

    Hi Daniel,

    Firstly, thank you for your work on the Export Users With Meta plugin — it has been incredibly useful and works great for our needs. We truly appreciate your continued support and updates.

    We’re reaching out to kindly confirm the current status of the CSV/formula injection vulnerability (CSV Injection / CVE-2022-44577).

    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-export-with-their-meta-data/export-users-with-meta-068-csv-injection

    We noticed that version 0.6.9 includes a changelog entry stating that this issue has been addressed:

    0.6.9 – [Bug] Fix formula injection vulnerability

    However, Wordfence’s vulnerability feed still flags this issue as unpatched, which has raised some concern on our end, particularly given the severity rating (CVSS score of 8.0).

    Could you kindly confirm whether version 0.6.9 fully mitigates the vulnerability?

    Thank you again for your excellent work on the plugin. We look forward to your clarification.

Viewing 1 replies (of 1 total)
  • Plugin Author Daniel Loureiro

    (@loureirorg)

    11 months, 2 weeks ago

    Hi iugoau,

    Thank you so much for bringing this to my attention and for your kind words about the plugin. I really appreciate users like you who take the time to help ensure everyone’s security.

    You’re absolutely right to be concerned about security, and I want to assure you that the CSV injection vulnerability (CVE-2022-44577) was indeed fully resolved in version 0.6.10, which was released on November 19, 2022.

    Here’s what happened:

    • The vulnerability was reported and the plugin was temporarily suspended by ww.wp.xz.cn on November 14, 2022
    • I initially released version 0.6.9 attempting to fix the issue, but this version had a bug rendering the plugin unusable
    • I fixed the issue and released version 0.6.10 on November 19, 2022
    • ww.wp.xz.cn reviewed the fix and officially re-listed the plugin on November 21, 2022, confirming the vulnerability was properly addressed

    The issue you’re seeing is that Patchstack’s vulnerability database hasn’t been updated to reflect that the vulnerability was patched over 2 years ago. This unfortunately happens sometimes with vulnerability databases.

    I’ve just contacted Patchstack directly ([email protected]) to request they update their database to show the correct status. I’ve provided them with the full timeline and ww.wp.xz.cn’s official confirmation of the fix.

    Bottom line: If you’re using version 0.6.10 or later (current version is 0.6.10), you are fully protected against this vulnerability. The plugin has been secure for over 2 years now.

    Thank you again for your diligence and for using the plugin. Users like you help make the WordPress ecosystem safer for everyone.

    Best regards, Daniel

Viewing 1 replies (of 1 total)

The topic ‘Clarification on CSV Injection Vulnerability Patch Status’ is closed to new replies.