Lucene search
Copyright (C) 2024 Greenbone AGOPENVAS:1361412562310124499HistoryJan 02, 2024 - 12:00 a.m.
WordPress Contact Form Plugin < 4.3.13 CSV Injection Vulnerability
2024-01-0200:00:00
Copyright (C) 2024 Greenbone AG
plugins.openvas.org
5
wordpress
contact form
plugin
csv injection
vulnerability
validation
escape
affected version
update
version 4.3.13
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
7
Confidence
High
EPSS
0.003
Percentile
68.8%
The WordPress plugin
# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:fluentforms:contact_form";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.124499");
script_version("2024-01-12T05:05:56+0000");
script_tag(name:"last_modification", value:"2024-01-12 05:05:56 +0000 (Fri, 12 Jan 2024)");
script_tag(name:"creation_date", value:"2024-01-02 08:30:48 +0000 (Tue, 02 Jan 2024)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2022-11-09 20:09:00 +0000 (Wed, 09 Nov 2022)");
script_cve_id("CVE-2022-3463");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"VendorFix");
script_name("WordPress Contact Form Plugin < 4.3.13 CSV Injection Vulnerability");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2024 Greenbone AG");
script_family("Web application abuses");
script_dependencies("gb_wordpress_plugin_http_detect.nasl");
script_mandatory_keys("wordpress/plugin/fluentform/detected");
script_tag(name:"summary", value:"The WordPress plugin 'Contact Form' is prone to a CSV
injection vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"The plugin does not validate and escape fields when exporting
form entries as CSV, leading to a CSV injection.");
script_tag(name:"affected", value:"WordPress Contact Form plugin prior to version 4.3.13.");
script_tag(name:"solution", value:"Update to version 4.3.13 or later.");
script_xref(name:"URL", value:"https://wpscan.com/vulnerability/e2a59481-db45-4b8e-b17a-447303469364");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if( ! port = get_app_port( cpe: CPE ) )
exit( 0 );
if( ! infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE ) )
exit( 0 );
version = infos["version"];
location = infos["location"];
if( version_is_less( version: version, test_version: "4.3.13" ) ) {
report = report_fixed_ver( installed_version: version, fixed_version: "4.3.13", install_path: location );
security_message( port: port, data: report );
exit( 0 );
}
exit( 99 );
Related
cvelist
cvelist
CVE-2022-3463 FluentForm < 4.3.13 - CSV Injection
2022-11-07 00:00:00
nvd
nvd
CVE-2022-3463
2022-11-07 10:15:11
wpexploit
wpexploit
FluentForm < 4.3.13 - CSV Injection
2022-10-17 00:00:00
wpvulndb
wpvulndb
FluentForm < 4.3.13 - CSV Injection
2022-10-17 00:00:00
prion
prion
Design/Logic Flaw
2022-11-07 10:15:00
cve
cve
CVE-2022-3463
2022-11-07 10:15:11
patchstack
patchstack
WordPress FluentForm plugin <= 4.3.12 - CSV Injection vulnerability
2022-10-17 00:00:00
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
7
Confidence
High
EPSS
0.003
Percentile
68.8%
Related for OPENVAS:1361412562310124499