WordPress Plugin Vulnerabilities

Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection

Description

The plugin does not validate data when output it back in a CSV file, which could lead to CSV injection

Proof of Concept

Use a Contact Form 7 form and submit an Excel formula in the message field, such as "=5+5" without quotes. Export the entry as CSV using the plugin and import it into Excel

Affects Plugins

contact-form-cfdb7

Fixed in version 1.2.6.5

References

CVE

CVE-2022-3634

Classification

Type

CSV INJECTION

OWASP top 10

A1: Injection

CWE

CWE-1236

Miscellaneous

Original Researcher

Adel Bouaricha

Submitter

Adel Bouaricha

Submitter website

https://brainshell.net

Submitter twitter

https://twitter.com/virtualsamuraii

Verified

Yes

WPVDB ID

b5eeefb0-fb5e-4ca6-a6f0-67f4be4a2b10

Timeline

Publicly Published

2022-10-27 (about 5 months ago)

Added

2022-10-27 (about 5 months ago)

Last Updated

2022-10-27 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin