CSV Injection Vulnerability in TablePress Plugin for WordPress
CVE-2019-20180

6.8MEDIUM

Key Information:

Vendor: Wordpress
Status: Tablepress
Vendor: CVE Published:; 9 January 2020

Summary

The TablePress plugin version 1.9.2 for WordPress is susceptible to a CSV injection attack that may allow malicious users with Editor privileges to execute code within CSV files. While the vendor contends that the risk is attributed to the application used to open the CSV file rather than the plugin itself, it is critical for users to be aware of this vulnerability. Users are advised to exercise caution and to implement best practices for secure file handling to mitigate potential risks.

References

https://medium.com/%40Pablo0xSantiago/cve-2019-20180-tabl...

https://wpvulndb.com/vulnerabilities/10016

https://wordpress.org/support/topic/security-issue-cve-20...

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2020
Vulnerability Reserved
Dec 31, 2019