WordPress Plugin Vulnerabilities

Easy Registration Forms <= 2.0.6 - CSV Injection

Description

Easy Registration Forms (ER Forms) Wordpress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is no check on this inputs and the codes are executable.

Affects Plugins

Plugin icon
easy-registration-forms
No known fix

References

CVE
CVE-2020-22275
URL
https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22275.pdf

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Mohamad Pishdar (cert.ikiu.ac.ir)
Verified
No
WPVDB ID
2f32bcd9-7902-4f05-ab23-2fa50720d90b

Timeline

Publicly Published
2020-11-20 (about 5 years ago)
Added
2020-11-20 (about 5 years ago)
Last Updated
2020-11-21 (about 5 years ago)

Other

Published
Title
Published
2023-11-07
Title
Export Users Data CSV < 2.2 - Improper Neutralization of Formula Elements in a CSV File
Published
2023-01-27
Title
Site Reviews < 6.4.0 - Unauthenticated CSV Injection
Published
2025-07-10
Title
Broken Link Notifier < 1.3.1 - Authenticated (Contributor+) CSV Injection
Published
2022-08-16
Title
Affiliates Manager < 2.9.14 - Affiliate CSV Injection
Published
2022-11-17
Title
Export Users With Meta <= 0.6.10 - Subscriber+ CSV Injection