CVE-2022-4663 MEDIUM

CVE-2022-4663: Members Import <= 1.4.2 - Self Cross-Site Scripting

Vendor Manishkrag
Product Members Import
Weakness CWE-79 · XSS
Published January 3, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Members Import plugin for WordPress is vulnerable to Self Cross-Site Scripting via the user_login parameter in an imported CSV file in versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site's administrator into uploading a CSV file with the malicious payload.

Key dates

02Disclosure timeline

January 3, 2023 CVE published
April 8, 2026 Record updated