The plugin does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue
Go to the Sign-up Sheets--> Add New. Enter the following CSV Injection payload in the field "Title", "Details" and "Task" click on save button. =cmd|' /C notepad'!'A1' or DDE ("cmd";"/C calc";"!A0")A0 After that click on "Export All as CSV " when admin open this downloaded csv file the csv injection payload get executed. Note (WPScanTeam): To easily reproduce the issue: Create a new sheet with =1+2 as Title, then export it via the All Sheets > Export All as CSV, open it with OpenOffice or any other Spreadsheet viewer and note that the Title column is processed as formula, displaying 3 and not =1+2
Ajay Sandipan Thorbole
Ajay Sandipan Thorbole
Yes
2021-06-21 (about 1 years ago)
2021-06-21 (about 1 years ago)
2021-08-10 (about 1 years ago)