The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection
- As unauthenticated, submit a form using =5+5 as value in any field - As admin, export the data as CSV (/wp-admin/admin.php?page=fluent_forms&form_id=1&route=entries) - open the CSV with a spreadsheet application (Excel, Libre Office) - the CSV formula gets executed
Francesco Carlucci
Francesco Carlucci
Yes
2022-10-17 (about 7 months ago)
2022-10-17 (about 7 months ago)
2022-10-17 (about 7 months ago)