CVE-2022-4663

5.5 MEDIUM

Published: January 03, 2023 Modified: April 08, 2026

Description

The Members Import plugin for WordPress is vulnerable to Self Cross-Site Scripting via the user_login parameter in an imported CSV file in versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site's administrator into uploading a CSV file with the malicious payload.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://plugins.trac.wordpress.org/browser/members-import/trunk/members-import.php#L113

Source: security@wordfence.com

Exploit Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/3abbc407-f660-4b1f-9d48-436320e5fdd7?source=cve

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/members-import/trunk/members-import.php#L113

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/3abbc407-f660-4b1f-9d48-436320e5fdd7

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

5.5 / 10.0

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-79 CWE-79

Affected Vendors

youngtechleads

Related CVEs

CVE-2026-5813 7.3

CVE-2026-5812 5.4

CVE-2026-5811 5.4

CVE-2026-5173 8.5

CVE-2026-4916 2.7