WordPress Plugin Vulnerabilities

weForms < 1.6.4 - CSV Injection

Description

The plugin allows CSV injection via a form's entry

Affects Plugins

Plugin icon
weforms
Fixed in 1.6.4

References

CVE
CVE-2020-22276
URL
https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf
URL
https://github.com/BoldGrid/weforms/pull/50/files

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Mohamad Pishdar (cert.ikiu.ac.ir)
Verified
No
WPVDB ID
02bb301b-8880-40e8-a260-de586bc589a1

Timeline

Publicly Published
2020-11-20 (about 5 years ago)
Added
2020-11-20 (about 5 years ago)
Last Updated
2020-12-25 (about 5 years ago)

Other

Published
Title
Published
2022-08-16
Title
Affiliates Manager < 2.9.14 - Affiliate CSV Injection
Published
2022-10-17
Title
Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection
Published
2021-01-25
Title
Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection
Published
2024-06-17
Title
Business Directory Plugin < 6.4.4 - Authenticated (Author+) CSV Injection
Published
2025-07-10
Title
Broken Link Notifier < 1.3.1 - Authenticated (Contributor+) CSV Injection