Sign-up Sheets < 1.0.14 – Authenticated CSV Injection | CVE 2021-24441

Description

The plugin does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue

Proof of Concept

Go to the Sign-up Sheets--> Add New.

Enter the following CSV Injection payload in the field "Title", "Details" and "Task" click on save button.

=cmd|' /C notepad'!'A1' 

or

DDE ("cmd";"/C calc";"!A0")A0

After that click on "Export All as CSV " when admin open this downloaded csv file the csv injection payload get executed.


Note (WPScanTeam): To easily reproduce the issue: Create a new sheet with =1+2 as Title, then export it via the All Sheets > Export All as CSV, open it with OpenOffice or any other Spreadsheet viewer and note that the Title column is processed as formula, displaying 3 and not =1+2