WordPress Plugin Vulnerabilities

WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection

Description

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Affects Plugins

Plugin icon
ws-form
Fixed in 1.9.218
Plugin icon
ws-form-pro
Fixed in 1.9.218

References

CVE
CVE-2023-5424
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Duc Manh
Verified
No
WPVDB ID
83a7c1d3-3e0e-4f18-8706-5545fdc08ca1

Timeline

Publicly Published
2024-06-06 (about 1 year ago)
Added
2024-06-06 (about 1 year ago)
Last Updated
2024-06-07 (about 1 year ago)

Other

Published
Title
Published
2021-01-25
Title
Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection
Published
2024-06-17
Title
Business Directory Plugin < 6.4.4 - Authenticated (Author+) CSV Injection
Published
2022-10-03
Title
Post to CSV by BestWebSoft < 1.4.1 - Author+ CSV Injection
Published
2022-11-29
Title
Appointment Hour Booking < 1.3.73 - CSV Injection
Published
2020-11-20
Title
weForms < 1.6.4 - CSV Injection