CSV Command Injection Vulnerability in Easy Registration Forms Plugin by WordPress
CVE-2020-22275

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Easy Registration Forms
Vendor
CVE Published:
4 November 2020

Summary

A security flaw in the Easy Registration Forms plugin version 2.0.6 for WordPress allows an attacker to inject malicious CSV commands through form submissions. When a system administrator generates CSV output from the collected forms, there are no validations on the inputs, enabling the execution of these harmful commands. This vulnerability poses significant risks, including potential data manipulation and unauthorized access, highlighting the importance of robust input validation in web applications.

References

https://filebin.net/30ceikgukh268yyj
x_refsource_MISC
http://uploadboy.com/ty0715vdcii6/886/mp4
x_refsource_MISC
https://cert.ikiu.ac.ir/public-files/news/document/CVE-99...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.