WordPress Plugin Vulnerabilities
Mobile Events Manager < 1.4.8 - Admin+ CSV Injection
Description
The plugin does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.
Proof of Concept
Export events with malicious CSV: 1. Create and save a new Enquiry source and add the following in the name field: =Calc|A!Z 2. Create and save a new Event with test information and select our malicious CSV payload from the dropdown of "Enquiry source" 3. Victim generate CSV file export and download it Export transaction with malicious CSV: 1. Add transaction & enter 'Paid from" as malicious CSV script =Calc|A!Z & save the transaction 2. Victim generate CSV file export and download it The malicious CSV script is executed when the file is opened by the victim in a spreadsheet application.
Affects Plugins
Fixed in version 1.4.8 - plugin closed
References
Classification
Miscellaneous
Original Researcher
Varun thorat
Submitter
Varun thorat
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-08-17 (about 9 months ago)
Added
2022-08-17 (about 9 months ago)
Last Updated
2023-05-10 (about 24 days ago)