WordPress Plugin Vulnerabilities

Mobile Events Manager < 1.4.8 - Admin+ CSV Injection

Description

The plugin does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.

Proof of Concept

Export events with malicious CSV:
1. Create and save a new Enquiry source and add the following in the name field: =Calc|A!Z
2. Create and save a new Event with test information and select our malicious CSV payload from the dropdown of "Enquiry source" 
3. Victim generate CSV file export and download it

Export transaction with malicious CSV:
1. Add transaction & enter 'Paid from" as malicious CSV script =Calc|A!Z & save the transaction
2. Victim generate CSV file export and download it

The malicious CSV script is executed when the file is opened by the victim in a spreadsheet application.

Affects Plugins

Plugin icon
mobile-events-manager
Fixed in 1.4.8

References

CVE
CVE-2022-1194

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
3.7 (low)

Miscellaneous

Original Researcher
Varun thorat
Submitter
Varun thorat
Submitter twitter
Extrins1c
Verified
Yes
WPVDB ID
62be0991-f095-43cf-a167-3daaed254594

Timeline

Publicly Published
2022-08-17 (about 1 years ago)
Added
2022-08-17 (about 1 years ago)
Last Updated
2023-05-10 (about 1 years ago)

Other

Published
Title
Published
2022-06-29
Title
Exports and Reports < 0.9.2 - Contributor+ CSV Injection
Published
2021-01-25
Title
Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection
Published
2022-10-17
Title
Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection
Published
2022-11-09
Title
Export customers list CSV for WooCommerce < 2.0.69 - CSV Injection
Published
2022-11-17
Title
ProfileGrid < 5.1.8 - Subscriber+ CSV Injection