WordPress Plugin Vulnerabilities
Sign-up Sheets < 1.0.14 - Authenticated CSV Injection
Description
The plugin does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue
Proof of Concept
Go to the Sign-up Sheets--> Add New.
Enter the following CSV Injection payload in the field "Title", "Details" and "Task" click on save button.
=cmd|' /C notepad'!'A1'
or
DDE ("cmd";"/C calc";"!A0")A0
After that click on "Export All as CSV " when admin open this downloaded csv file the csv injection payload get executed.
Note (WPScanTeam): To easily reproduce the issue: Create a new sheet with =1+2 as Title, then export it via the All Sheets > Export All as CSV, open it with OpenOffice or any other Spreadsheet viewer and note that the Title column is processed as formula, displaying 3 and not =1+2 Affects Plugins
Fixed in version 1.0.14
References
Classification
Miscellaneous
Original Researcher
Ajay Sandipan Thorbole
Submitter
Ajay Sandipan Thorbole
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-06-21 (about 1 years ago)
Added
2021-06-21 (about 1 years ago)
Last Updated
2021-08-10 (about 1 years ago)