Easy Digital Downloads < 3.1.0.2 – Unauthenticated CSV Injection | CVE 2022-3600

Description

The plugin does not validate data when its output in a CSV file, which could lead to CSV injection.

Proof of Concept

- Submit an order using =5+5 as "first name" and empty "last name" (the plugin allows that).
- Export the data as CSV from Reports > Export.
- Open the CSV with a spreadsheet application (Excel, Libre Office).
- The CSV formula gets executed.

Affects Plugins

easy-digital-downloads

Fixed in 3.1.0.2

References

CVE

CVE-2022-3600

Classification

Type

CSV INJECTION

OWASP top 10

A1: Injection

CWE

CWE-1236

CVSS

4.7 (medium)

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

francecarlucci

Verified

Yes

WPVDB ID

16e2d970-19d0-42d1-8fb1-e7cb14ace1d0

Timeline

Publicly Published

2022-09-28 (about 1 years ago)

Added

2022-10-28 (about 1 years ago)

Last Updated

2022-10-28 (about 1 years ago)

Other

Published

Title

Published

2022-11-29

Title

Appointment Hour Booking < 1.3.73 - CSV Injection

Published

2023-01-27

Title

Site Reviews < 6.4.0 - Unauthenticated CSV Injection

Published

2022-10-17

Title

Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection

Published

2020-05-29

Title

Connections Business Directory < 9.7 - Admin+ CSV Injection

Published

2022-11-09

Title

Export customers list CSV for WooCommerce < 2.0.69 - CSV Injection