{"api_version":"1","generated_at":"2026-05-13T23:00:18+00:00","cve":"CVE-2022-0360","urls":{"html":"https://cve.report/CVE-2022-0360","api":"https://cve.report/api/cve/CVE-2022-0360.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-0360","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-0360"},"summary":{"title":"CVE-2022-0360","description":"The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues","state":"PUBLIC","assigner":"contact@wpscan.com","published_at":"2022-02-28 09:15:00","updated_at":"2023-06-07 02:43:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://plugins.trac.wordpress.org/changeset/2662897","name":"https://plugins.trac.wordpress.org/changeset/2662897","refsource":"CONFIRM","tags":[],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://wpscan.com/vulnerability/d718b993-4de5-499c-84c9-69801396f51f","name":"https://wpscan.com/vulnerability/d718b993-4de5-499c-84c9-69801396f51f","refsource":"MISC","tags":[],"title":"WP Ultimate CSV Importer < 6.4.3 - Admin+ Stored Cross-Site Scripting WordPress Security Vulnerability","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-0360","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0360","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Felipe de Avila","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"360","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"smackcoders","cpe5":"easy_drag_and_drop_all_import","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"360","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"smackcoders","cpe5":"import_all_pages\\,_post_types\\,_products\\,_orders\\,_and_users_as_xml_\\&_csv","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"wordpress","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ID":"CVE-2022-0360","ASSIGNER":"contact@wpscan.com","STATE":"PUBLIC","TITLE":"WP Ultimate CSV Importer < 6.4.3 - Admin+ Stored Cross-Site Scripting"},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","generator":"WPScan CVE Generator","affects":{"vendor":{"vendor_data":[{"vendor_name":"Unknown","product":{"product_data":[{"product_name":"Easy Drag And drop All Import : WP Ultimate CSV Importer","version":{"version_data":[{"version_affected":"<","version_name":"6.4.3","version_value":"6.4.3"}]}}]}}]}},"description":{"description_data":[{"lang":"eng","value":"The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues"}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://wpscan.com/vulnerability/d718b993-4de5-499c-84c9-69801396f51f","name":"https://wpscan.com/vulnerability/d718b993-4de5-499c-84c9-69801396f51f"},{"refsource":"CONFIRM","url":"https://plugins.trac.wordpress.org/changeset/2662897","name":"https://plugins.trac.wordpress.org/changeset/2662897"}]},"problemtype":{"problemtype_data":[{"description":[{"value":"CWE-79 Cross-site Scripting (XSS)","lang":"eng"}]}]},"credit":[{"lang":"eng","value":"Felipe de Avila"}],"source":{"discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2022-02-28 09:15:00","lastModifiedDate":"2023-06-07 02:43:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.7,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:smackcoders:import_all_pages\\,_post_types\\,_products\\,_orders\\,_and_users_as_xml_\\&_csv:*:*:*:*:wordpress:*:*:*","versionEndExcluding":"6.4.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"360","Ordinal":"227018","Title":"CVE-2022-0360","CVE":"CVE-2022-0360","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"360","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}