MidnightBSD

Advisories for codection

CVE-2015-9336 MEDIUM

The clean-login plugin before 1.5.1 for WordPress has reflected XSS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
codection clean_login *
CVE-2017-8875 MEDIUM

CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
codection clean_login 1.7.12
CVE-2018-20101 MEDIUM

The codection "Import users from CSV with meta" plugin before 1.12.1 for WordPress allows XSS via the value of a cell.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
codection import_users_from_csv_with_meta 1.12.1
CVE-2019-14683 MEDIUM

The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N 2.1 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
codection import_users_from_csv_with_meta *
CVE-2019-15326 MEDIUM

The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPress has directory traversal.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
codection import_users_from_csv_with_meta *
CVE-2019-15327 MEDIUM

The import-users-from-csv-with-meta plugin before 1.14.1.3 for WordPress has XSS via imported data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
codection import_users_from_csv_with_meta *
CVE-2019-15328 MEDIUM

The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPress has XSS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
codection import_users_from_csv_with_meta *
CVE-2019-15329 MEDIUM

The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPress has CSRF.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
codection import_users_from_csv_with_meta *
CVE-2020-22277 MEDIUM

Import and export users and customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer's profile.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1236,

Products Affected

Vendor Product Version
codection import_and_export_users_and_customers *
CVE-2022-1255 LOW

The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
codection import_and_export_users_and_customers *
CVE-2022-3558

The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
codection import_and_export_users_and_customers *
CVE-2022-4838

The Clean Login WordPress plugin before 1.13.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
codection clean_login *
CVE-2023-6583

The Import and export users and customers plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.24.2 via the Recurring Import functionality. This makes it possible for authenticated attackers, with administrator access and above, to read and delete the contents of arbitrary files on the server including wp-config.php, which can contain sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
security@wordfence.com 6.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

Products Affected

Vendor Product Version
codection import_and_export_users_and_customers *
CVE-2023-6624

The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.24.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
security@wordfence.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N 1.8 2.7

Products Affected

Vendor Product Version
codection import_and_export_users_and_customers *
CVE-2024-22151

Missing Authorization vulnerability in Codection Import and export users and customers.This issue affects Import and export users and customers: from n/a through 1.24.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
audit@patchstack.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
codection import_and_export_users_and_customers *