Contact Form Entries < 1.3.0 - CSV Injection
CVE-2022-3604

7.8HIGH

Key Information:

Vendor: Wordpress
Status: Contact Form Entries
Vendor: CVE Published:; 16 January 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Contact Form Entries plugin for WordPress, prior to version 1.3.0, contains a vulnerability that fails to properly validate data when exporting to CSV files. This oversight can be exploited by an attacker to execute malicious commands through specially crafted input, leading to potential CSV injection attacks. Users of this plugin should ensure they update to the latest version to mitigate this risk and protect their sites from unwanted manipulation of CSV outputs.

Affected Version(s)

Contact Form Entries 0 < 1.3.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-3604 - Proof of Concept

References

https://wpscan.com/vulnerability/300ebfcd-c500-464e-b919-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 16, 2024
👾
Exploit known to exist
Jan 16, 2024
Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Oct 19, 2022

Credit

Francesco Carlucci

WPScan