CVE-2022-2429: 
WordPress vulnerability analysis and mitigation

The Ultimate SMS Notifications for WooCommerce WordPress plugin contains a CSV Injection vulnerability (CVE-2022-2429) in versions up to and including 1.4.1. The vulnerability was discovered in the 'Export Utility' functionality and was disclosed on September 6, 2022. This security issue affects WordPress installations with the Ultimate SMS Notifications plugin installed (NVD).

The vulnerability allows authenticated attackers, including subscribers, to inject malicious content into billing information fields like First Name. When an administrator exports this data to CSV format, the embedded malicious content can result in code execution if the CSV file is opened on a vulnerable local system. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (HIGH) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, while Wordfence assessed it at 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) (NVD).

If successfully exploited, this vulnerability could lead to code execution on local systems when exported CSV files containing malicious content are opened in applications that process CSV files. The impact requires user interaction in the form of downloading and opening the exported file on a vulnerable system configuration (NVD).

Users should update the Ultimate SMS Notifications for WooCommerce plugin to a version newer than 1.4.1. Additionally, administrators should exercise caution when opening exported CSV files and ensure their systems are properly configured to handle CSV files securely (NVD).