WordPress Plugin Vulnerabilities

Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection

Description

The plugin does not validate data when output it back in a CSV file, which could lead to CSV injection

Proof of Concept

Use a Contact Form 7 form and submit an Excel formula in the message field, such as "=5+5" without quotes. Export the entry as CSV using the plugin and import it into Excel

Affects Plugins

Plugin icon
contact-form-cfdb7
Fixed in 1.2.6.5

References

CVE
CVE-2022-3634

Classification

Type
CSV INJECTION
OWASP top 10
A1: Injection
CWE
CWE-1236
CVSS
2.2 (low)

Miscellaneous

Original Researcher
VirtualSamurai
Submitter
VirtualSamurai
Submitter website
https://brainshell.net
Submitter twitter
https://twitter.com/virtualsamuraii
Verified
Yes
WPVDB ID
b5eeefb0-fb5e-4ca6-a6f0-67f4be4a2b10

Timeline

Publicly Published
2022-10-27 (about 1 years ago)
Added
2022-10-27 (about 1 years ago)
Last Updated
2023-05-19 (about 11 months ago)

Other

Published
Title
Published
2022-09-22
Title
Export Post Info < 1.2.1 - Author+ CSV Injection
Published
2021-11-03
Title
Visual Form Builder < 3.0.6 - CSV Injection
Published
2022-09-25
Title
Activity Log < 2.8.4 - CSV Injection
Published
2022-10-21
Title
Contact Form Entries < 1.3.0 - CSV Injection
Published
2020-11-20
Title
Easy Registration Forms <= 2.0.6 - CSV Injection