Export Users to CSV <= 1.1.1 – CSV Injection | CVE 2018-15571 | Plugin Vulnerabilities

Description

WordPress Export users to CSV plugin version 1.1.1. and before are affected by Remote Code Execution through the CSV injection vulnerability. This allows an application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine.

Proof of Concept

1. Enter the payload =SUM(1+1)*cmd|' /C calc'!A0 in any field of the profile, for example, in biography.

2. When the user with high privileges logs in to the application, export data in CSV and opens the generated file, the command is executed and the calculator will run open on the machine.

Affects Plugins

export-users-to-csv

No known fix

References

CVE

Exploitdb

URL

https://hackpuntes.com/cve-2018-15571-wordpress-plugin-export-users-to-csv-1-1-1-csv-injection/

Miscellaneous

Submitter

Javier Olmedo

Submitter website

https://hackpuntes.com

Submitter twitter

Verified

No

WPVDB ID

34f98e09-f71b-4a87-a861-d1d896283a1d

Timeline

Publicly Published

2018-08-16 (about 7 years ago)

Added

2018-08-28 (about 7 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2019-09-02

Title

Event Tickets <= 4.10.7.1 - CSV Injection

Published

2023-11-27

Title

Restricted Site Access <= 7.4.1 - IP Spoofing to Protection Mechanism Bypass

Published

2014-08-01

Title

Construct 1.4 - dl-skin.php _mysite_delete_skin_zip Parameter Absolute Path Traversal Remote Directory Deletion

Published

2025-02-26

Title

Jeg Elementor Kit < 2.6.12 - Authenticated (Contributor+) Sensitive Information Exposure via Countdown and Off-Canvas

Published

2019-10-25

Title

Email Templates < 1.3.1 - HTML Injection