CVE-2022-2798: 
WordPress vulnerability analysis and mitigation

The Affiliates Manager WordPress plugin versions before 2.9.14 contain a CSV injection vulnerability (CVE-2022-2798). The vulnerability was discovered and publicly disclosed on August 16, 2022. The issue affects the plugin's data export functionality where affiliate data is not properly validated and sanitized (WPScan).

The vulnerability stems from improper validation and sanitization of affiliate data in the Affiliates Manager plugin. When exporting affiliate data as CSV, the plugin fails to properly sanitize input fields like Firstname, Lastname, or Company, allowing formula injection attacks. The vulnerability has been assigned a CVSS score of 4.4 (Medium) and is classified as CWE-1236. It falls under the OWASP Top 10 category A1: Injection (WPScan).

When exploited, this vulnerability allows attackers to inject formula payloads into CSV exports. When an administrator opens the exported CSV file, the injected formulas are processed by the spreadsheet application, potentially leading to data manipulation or malicious code execution within the context of the spreadsheet application (WPScan).

The vulnerability has been fixed in version 2.9.14 of the Affiliates Manager plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).