Vulnerability Details : CVE-2019-11872
The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text.
Products affected by CVE-2019-11872
- cpe:2.3:a:incsub:hustle:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11872
0.78%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11872
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-11872
-
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11872
-
https://blog.reddy.io/category/cybersecurity/
Cybersecurity – REDdy Solutions BlogBroken Link;Exploit;Third Party Advisory
-
https://wordpress.org/plugins/wordpress-popup/#developers
Hustle – Pop-Ups, Slide-ins and Email Opt-ins – WordPress plugin | WordPress.orgRelease Notes
-
https://blog.reddy.io/2019/05/24/reddy-solutions-found-a-csv-injection-vulnerability-in-hustle-wordpress-plugin/
REDdy Solutions found a CSV Injection Vulnerability in Hustle WordPress Plugin – REDdy Solutions BlogBroken Link;Exploit;Third Party Advisory
-
https://wpvulndb.com/vulnerabilities/9326
Hustle <= 6.0.7 - Unauthenticated CSV InjectionThird Party Advisory
Jump to