Exports and Reports < 0.9.2 – Contributor+ CSV Injection | CVE 2022-1539 | Plugin Vulnerabilities

Description

The plugin does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.

Proof of Concept

As a contributor, put the following payload in a Post title: =1+2

As admin, export a CSV using the plugin's feature (/wp-admin/admin.php?page=exports-reports-group-1), open it with OpenOffice/Excel etc and note that formula being processed

Affects Plugins

exports-and-reports

Fixed in 0.9.2

References

CVE

Classification

Type

CSV INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

websafe2021

Submitter

websafe2021

Submitter website

https://github.com/websafe2021

Verified

Yes

WPVDB ID

50f70927-9677-4ba4-a388-0a41ed356523

Timeline

Publicly Published

2022-06-29 (about 1 years ago)

Added

2022-06-29 (about 1 years ago)

Last Updated

2023-04-04 (about 1 years ago)

Other

Published

Title

Published

2023-11-07

Title

Posts and Users Stats < 1.1.4 - Improper Neutralization of Formula Elements in a CSV File

Published

2020-01-08

Title

WP Users Exporter <= 1.4.2 - CSV Injection

Published

2021-01-25

Title

Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection

Published

2022-09-22

Title

Export Post Info < 1.2.1 - Author+ CSV Injection

Published

2022-08-17

Title

Mobile Events Manager < 1.4.8 - Admin+ CSV Injection