Lucene search
Francesco CarlucciWPVDB-ID:300EBFCD-C500-464E-B919-ACFEB72593DEHistoryOct 21, 2022 - 12:00 a.m.
Contact Form Entries < 1.3.0 - CSV Injection
2022-10-2100:00:00
Francesco Carlucci
wpscan.com
9
contact form entries
csv injection
plugin
data validation
csv file
spreadsheet application
vulnerability
software
0.001 Low
EPSS
Percentile
21.7%
The plugin does not validate data when its output in a CSV file, which could lead to CSV injection.
PoC
- Submit a form (using Contact Form 7, Ninja Forms, Elementor Forms or WP Forms) using =5+5 as the value - Export the data as CSV (/wp-admin/admin.php?page=vxcf_leads) - Open the CSV with a spreadsheet application (Excel, Libre Office) - The CSV formula gets executed
| CPE | Name | Operator | Version |
|---|---|---|---|
| contact-form-entries | lt | 1.3.0 |
Related
nvd
nvd
CVE-2022-3604
2024-01-16 16:15:09
cve
cve
CVE-2022-3604
2024-01-16 16:15:09
prion
prion
Design/Logic Flaw
2024-01-16 16:15:00
cvelist
cvelist
CVE-2022-3604 Contact Form Entries < 1.3.0 - CSV Injection
2024-01-16 15:52:59
wpexploit
wpexploit
Contact Form Entries < 1.3.0 - CSV Injection
2022-10-21 00:00:00