WordPress Form Builder Plugin <= 1.9.9.0 is vulnerable to CSV Injection
CVE-2023-23796

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Form Builder | Create Responsive Contact Forms
Vendor: CVE Published:; 7 November 2023

What is CVE-2023-23796?

The Muneeb Form Builder plugin suffers from a CSV injection vulnerability that allows attackers to manipulate formula elements within CSV files. This could lead to the execution of arbitrary commands or data exfiltration when the generated CSV files are opened in spreadsheet applications. It is crucial for users of the affected versions to understand the risks and take necessary precautions to secure their applications.

Affected Version(s)

Form Builder | Create Responsive Contact Forms <= 1.9.9.0

References

https://patchstack.com/database/vulnerability/contact-for...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2023
Vulnerability Reserved
Jan 18, 2023

Credit

Rafshanzani Suhada (Patchstack Alliance)