The plugin does not validate data when its output in a CSV file, which could lead to CSV injection.
- Submit a form (using Contact Form 7, Ninja Forms, Elementor Forms or WP Forms) using =5+5 as the value - Export the data as CSV (/wp-admin/admin.php?page=vxcf_leads) - Open the CSV with a spreadsheet application (Excel, Libre Office) - The CSV formula gets executed
CPE | Name | Operator | Version |
---|---|---|---|
contact-form-entries | lt | 1.3.0 |