FluentForm < 4.3.13 – CSV Injection | CVE 2022-3463 | Plugin Vulnerabilities

Description

The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection

Proof of Concept

- As unauthenticated, submit a form using =5+5 as value in any field

- As admin, export the data as CSV (/wp-admin/admin.php?page=fluent_forms&form_id=1&route=entries)
- open the CSV with a spreadsheet application (Excel, Libre Office)
- the CSV formula gets executed

Affects Plugins

Fixed in 4.3.13

References

CVE

Classification

Type

CSV INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci/

Submitter twitter

Verified

Yes

WPVDB ID

e2a59481-db45-4b8e-b17a-447303469364

Timeline

Publicly Published

2022-10-17 (about 3 years ago)

Added

2022-10-17 (about 3 years ago)

Last Updated

2022-10-17 (about 3 years ago)

Other

Published

Title

Published

2023-02-06

Title

Email Subscribers & Newsletters < 5.5.3 - Improper Neutralization of Formula Elements in a CSV File

Published

2023-11-07

Title

1003 Mortgage Application < 1.80 - Improper Neutralization of Formula Elements in a CSV File

Published

2023-02-02

Title

Simple History < 3.4.0 - Improper Neutralization of Formula Elements in a CSV File

Published

2022-10-27

Title

Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection

Published

2021-01-25

Title

Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection