Lucene search
BenachiWPVDB-ID:6A3A573E-F9F2-45EC-9156-332CC551FC7EHistoryJun 28, 2022 - 12:00 a.m.
Request a Quote <= 2.3.7 - CSV Injection
2022-06-2800:00:00
Benachi
wpscan.com
10
0.003 Low
EPSS
Percentile
66.4%
The plugin does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it
PoC
On a page with a Quote Request form, upload the following CSV as an attachment: “First Name”,“Last name”,“Email”,“Passport Number” a,“=cmd|’ /C calc’!A0”,“=1+2”,d The CSV injection will happen when an admin will download and open the CSV file from the All Quotes Dashboard
| CPE | Name | Operator | Version |
|---|---|---|---|
| request-a-quote | eq | * |
Related
wpexploit
wpexploit
Request a Quote <= 2.3.7 - CSV Injection
2022-06-28 00:00:00
nvd
nvd
CVE-2022-2240
2022-07-25 13:15:08
cve
cve
CVE-2022-2240
2022-07-25 13:15:08
patchstack
patchstack
WordPress Request a Quote plugin <= 2.3.7 - CSV Injection vulnerability
2022-06-28 00:00:00
prion
prion
Open redirect
2022-07-25 13:15:00
cvelist
cvelist
CVE-2022-2240 Request a Quote <= 2.3.7 - CSV Injection
2022-07-25 12:47:55