WordPress Plugin Vulnerabilities

Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection

Description

The plugin was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Attackers can possibly exploit this issue to execute arbitrary commands on the victim's system, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks. Version 1.2.5.4 is vulnerable; prior versions may also be affected.

Proof of Concept

Affects Plugins

Plugin icon
contact-form-cfdb7
Fixed in 1.2.5.6

References

CVE
CVE-2021-24144
URL
https://plugins.trac.wordpress.org/changeset/2460800

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
SunCSR-thiennv
Submitter
thiennv
Verified
Yes
WPVDB ID
143cdaff-c536-4ff9-8d64-c617511ddd48

Timeline

Publicly Published
2021-01-25 (about 4 years ago)
Added
2021-01-25 (about 4 years ago)
Last Updated
2021-01-29 (about 4 years ago)

Other

Published
Title
Published
2020-01-08
Title
WP Users Exporter <= 1.4.2 - CSV Injection
Published
2023-11-07
Title
Export Users Data CSV < 2.2 - Improper Neutralization of Formula Elements in a CSV File
Published
2022-11-29
Title
Appointment Hour Booking < 1.3.73 - CSV Injection
Published
2022-08-16
Title
Affiliates Manager < 2.9.14 - Affiliate CSV Injection
Published
2020-11-20
Title
Import and export users and customers < 1.16.3.6 - CSV Injection