CVE-2022-41616 HIGH

CVE-2022-41616: WordPress Export Users Data CSV Plugin <= 2.1 is vulnerable to CSV Injection

Vendor Kaushik Kalathiya
Product Export Users Data CSV
Weakness CWE-1236
Published November 7, 2023
Last update April 28, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Improper Neutralization of Formula Elements in a CSV File vulnerability in Kaushik Kalathiya Export Users Data CSV.This issue affects Export Users Data CSV: from n/a through 2.1.

Explanation of Vulnerability in Simple Terms

02Summary

Export Users Data CSV versions up to 2.1 contain an authorization flaw that allows authenticated users to read and modify sensitive data belonging to other users. An attacker with low-level site access can export user information or alter records by manipulating requests. The vulnerability requires user interaction and affects confidentiality and integrity of user data.

What an attacker can do

03Attacker Capabilities

Read and modify other users' data, including exporting sensitive information or changing user records.

Potential impact on your site

04Site Impact

User data can be exposed or altered by attackers with basic site access; user privacy and data integrity are at risk.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site and trick a user into clicking a malicious link or visiting a crafted page.

Key dates

06Disclosure timeline

November 7, 2023 CVE published
April 28, 2026 Record updated