CVE-2022-1194: 
WordPress vulnerability analysis and mitigation

CVE-2022-1194 is a CSV injection vulnerability affecting the Mobile Events Manager WordPress plugin versions before 1.4.8. The vulnerability was discovered by Varun Thorat and publicly disclosed on August 17, 2022. The issue affects the plugin's event and transaction export functionality, specifically in the handling of the Enquiry source field and Paid for field when exporting to CSV format (WPScan).

The vulnerability stems from improper escaping of input fields when exporting data to CSV format. Specifically, the plugin fails to properly sanitize the Enquiry source field during event exports and the Paid for field during transaction exports. The vulnerability is classified as CWE-1236 and has been assigned a CVSS score of 3.7 (low severity). The issue falls under the OWASP Top 10 category A1: Injection (WPScan).

When exploited, this vulnerability allows attackers to inject malicious CSV formulas that execute when the exported file is opened in a spreadsheet application. This can lead to potential code execution in the context of the spreadsheet application when the victim opens the exported CSV file (WPScan).

The vulnerability has been fixed in version 1.4.8 of the Mobile Events Manager plugin. Users are advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan).