WordPress Plugin Vulnerabilities

Post to CSV by BestWebSoft < 1.4.1 - Author+ CSV Injection

Description

The plugin does not properly escape fields when exporting data as CSV, leading to a CSV injection

Proof of Concept

Affects Plugins

Plugin icon
post-to-csv
Fixed in 1.4.1

References

CVE
CVE-2022-3393

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
4.6 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Submitter
Francesco Carlucci
Submitter website
https://carluc.ci
Submitter twitter
francecarlucci
Verified
Yes
WPVDB ID
689b4c42-c516-4c57-8ec7-3a6f12a3594e

Timeline

Publicly Published
2022-10-03 (about 3 years ago)
Added
2022-10-03 (about 3 years ago)
Last Updated
2023-08-24 (about 2 years ago)

Other

Published
Title
Published
2022-10-27
Title
Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection
Published
2022-08-16
Title
Affiliates Manager < 2.9.14 - Affiliate CSV Injection
Published
2022-09-25
Title
Activity Log < 2.8.4 - CSV Injection
Published
2022-10-17
Title
FluentForm < 4.3.13 - CSV Injection
Published
2024-06-06
Title
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection