Vulnerability Description
The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Incsub | Hustle | < 6.0.8.1 |
Related Weaknesses (CWE)
References
- https://blog.reddy.io/2019/05/24/reddy-solutions-found-a-csv-injection-vulnerabiBroken LinkExploitThird Party Advisory
- https://blog.reddy.io/category/cybersecurity/Broken LinkExploitThird Party Advisory
- https://wordpress.org/plugins/wordpress-popup/#developersRelease Notes
- https://wpvulndb.com/vulnerabilities/9326Third Party Advisory
- https://blog.reddy.io/2019/05/24/reddy-solutions-found-a-csv-injection-vulnerabiBroken LinkExploitThird Party Advisory
- https://blog.reddy.io/category/cybersecurity/Broken LinkExploitThird Party Advisory
- https://wordpress.org/plugins/wordpress-popup/#developersRelease Notes
- https://wpvulndb.com/vulnerabilities/9326Third Party Advisory
FAQ
What is CVE-2019-11872?
CVE-2019-11872 is a vulnerability with a CVSS score of 8.8 (HIGH). The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker wi...
How severe is CVE-2019-11872?
CVE-2019-11872 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11872?
Check the references section above for vendor advisories and patch information. Affected products include: Incsub Hustle.