Export Users to CSV <= 1.4.2 – CSV Injection | CVE 2020-9466

Description

An attacker can register themselves as a subscriber in a WordPress website and provide malicious payloads (formula) into the user account details field. When an authenticated admin uses the Export Users to CSV plugin to export the details of all the users into a CSV file and open it, the payload gets executed and can lead to unintended actions such as redirections to unknown/harmful websites.

February 08, 2020 - Report submitted to the developer by researcher
February 26th, 2020 - No update from developer after multiple attempts. Escalated to WP Plugin Team. Release of the advisory.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

export-users

No known fix

References

CVE

CVE-2020-9466

URL

https://www.getastra.com/blog/911/plugin-exploit/csv-injection-in-export-users-to-csv-wordpress-plugin/

URL

https://www.jinsonvarghese.com/csv-injection-in-export-users-to-csv-plugin/

Miscellaneous

Original Researcher

Jinson Varghese Behanan

Submitter

Jinson Varghese Behanan

Submitter website

https://www.jinsonvarghese.com

Submitter twitter

JinsonCyberSec

Verified

WPVDB ID

fe3ef815-d5dc-4635-ac0c-d8cd7d9d38e3

Timeline

Publicly Published

2020-02-26 (about 6 years ago)

Added

2020-02-26 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2014-08-01

Title

Image News Slider 3.2 - Multiple Unspecified Remote Issues

Published

2023-06-02

Title

Contact Form and Calls To Action by vcita <= 2.7.1 - Settings Update Via CSRF

Published

2017-03-06

Title

WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete

Published

2024-10-09

Title

ivalt plugin contains malicious JS <= 1.0.0

Published

2014-08-01

Title

Encrypted Blog 0.0.6.2 - encrypt_blog_form.php redirect_to Parameter Arbitrary Site Redirect