{"api_version":"1","generated_at":"2026-05-01T01:11:31+00:00","cve":"CVE-2022-2798","urls":{"html":"https://cve.report/CVE-2022-2798","api":"https://cve.report/api/cve/CVE-2022-2798.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-2798","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-2798"},"summary":{"title":"CVE-2022-2798","description":"The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data","state":"PUBLIC","assigner":"contact@wpscan.com","published_at":"2022-09-16 09:15:00","updated_at":"2022-09-20 14:28:00"},"problem_types":["CWE-1236"],"metrics":[],"references":[{"url":"https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd","name":"https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd","refsource":"MISC","tags":[],"title":"Affiliates Manager < 2.9.14 - Affiliate CSV Injection WordPress Security Vulnerability","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-2798","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2798","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"nhatnam","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"2798","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wpaffiliatemanager","cpe5":"affiliates_manager","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-2798","qid":"150573","title":"WordPress Affiliates Manager Plugin: Multiple Vulnerabilities (CVE-2022-2798,CVE-2022-2799)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ID":"CVE-2022-2798","ASSIGNER":"contact@wpscan.com","STATE":"PUBLIC","TITLE":"Affiliates Manager < 2.9.14 - Affiliate CSV Injection"},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","generator":"WPScan CVE Generator","affects":{"vendor":{"vendor_data":[{"vendor_name":"Unknown","product":{"product_data":[{"product_name":"Affiliates Manager","version":{"version_data":[{"version_affected":"<","version_name":"2.9.14","version_value":"2.9.14"}]}}]}}]}},"description":{"description_data":[{"lang":"eng","value":"The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data"}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd","name":"https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd"}]},"problemtype":{"problemtype_data":[{"description":[{"value":"CWE-1236 Improper Neutralization of Formula Elements in a CSV File","lang":"eng"}]}]},"credit":[{"lang":"eng","value":"nhatnam"}],"source":{"discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2022-09-16 09:15:00","lastModifiedDate":"2022-09-20 14:28:00","problem_types":["CWE-1236"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8,"baseSeverity":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:wpaffiliatemanager:affiliates_manager:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"2.9.14","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}