WPForms Pro < 1.7.7 – CSV Injection | CVE 2022-3574 | Plugin Vulnerabilities

Description

The plugin does not validate its form data when generating the exported CSV, which could lead to CSV injection.

Proof of Concept

- Submit a form using =5+5 as the value.
- Export the data as CSV (from: /wp-admin/admin.php?page=wpforms-entries - /wp-admin/admin.php?page=wpforms-tools&view=export&form=5&&).
- Open the CSV with a spreadsheet application (Excel, Libre Office).
- The CSV formula gets executed.

Affects Plugins

Fixed in 1.7.7

References

CVE

Classification

Type

CSV INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci/

Submitter twitter

Verified

Yes

WPVDB ID

0eae5189-81af-4344-9e96-dd1f4e223d41

Timeline

Publicly Published

2022-10-18 (about 3 years ago)

Added

2022-10-18 (about 3 years ago)

Last Updated

2022-10-19 (about 3 years ago)

Other

Published

Title

Published

2022-10-27

Title

Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection

Published

2022-08-16

Title

Affiliates Manager < 2.9.14 - Affiliate CSV Injection

Published

2023-02-02

Title

Simple History < 3.4.0 - Improper Neutralization of Formula Elements in a CSV File

Published

2020-11-20

Title

Import and export users and customers < 1.16.3.6 - CSV Injection

Published

2023-11-07

Title

Export Users Data CSV < 2.2 - Improper Neutralization of Formula Elements in a CSV File