WordPress Plugin Vulnerabilities

Visual Form Builder < 3.0.6 - CSV Injection

Description

The plugin is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.

Proof of Concept

Endpoint - http://<<example.com>>/wordpress/wp-admin/admin.php?page=vfb-export
Payload - =cmd|' /C notepad'!'A1' (Non malicious payload)

Issue Description - Entries of the form are vulnerable to CSV/Formula Injection

1. Submit the payload in any field (Text or HTML) of a published form (Any user can perform this)
2. Now Login as an admin, Go to → Visual Form Builder → Export Tab
3. Export the fields as a CSV File and open the file to see the payload getting executed.

Affects Plugins

Plugin icon
visual-form-builder
Fixed in 3.0.6

References

CVE
CVE-2022-0142
URL
https://www.fortiguard.com/zeroday/FG-VD-21-080

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Vishnupriya Ilango of Fortinet's FortiGuard Labs
Submitter
Vishnupriya ilango
Submitter website
https://www.fortiguard.com/zeroday
Verified
Yes
WPVDB ID
03210390-2054-40c0-9508-39d168087878

Timeline

Publicly Published
2021-11-03 (about 2 years ago)
Added
2022-04-11 (about 2 years ago)
Last Updated
2023-03-12 (about 1 years ago)

Other

Published
Title
Published
2022-11-09
Title
Export customers list CSV for WooCommerce < 2.0.69 - CSV Injection
Published
2023-06-08
Title
Metform Elementor Contact Form Builder < 3.3.1 - Unauthenticated CSV Injection
Published
2022-10-18
Title
WPForms Pro < 1.7.7 - CSV Injection
Published
2022-08-16
Title
Affiliates Manager < 2.9.14 - Affiliate CSV Injection
Published
2020-11-20
Title
Easy Registration Forms <= 2.0.6 - CSV Injection