FluentForm < 4.3.13 - CSV Injection
CVE-2022-3463

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Contact Form Plugin – Fastest Contact Form Builder Plugin For WordPress By Fluent Forms
Vendor: CVE Published:; 7 November 2022

Summary

The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection

Affected Version(s)

Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms 4.3.13

References

https://wpscan.com/vulnerability/e2a59481-db45-4b8e-b17a-...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 7, 2022
Vulnerability Reserved
Oct 12, 2022

Credit

Francesco Carlucci