CSV Injection Vulnerability in WS Form LITE Plugin for WordPress

CVE-2023-5424

8.8HIGH

Key Information

Vendor: Westguard
Status: Ws Form Lite – Drag & Drop Contact Form Builder For WordPress; Ws Form Pro
Vendor: Published:; 7 June 2024

Summary

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Affected Version(s)

WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.9.217

WS Form Pro <= 1.9.217

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

HIGH

Integrity:

HIGH

Availability:

HIGH

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

UNCHANGED

Timeline

Vulnerability published.
Jun 7, 2024
Disclosed
Jun 6, 2024
Vendor Notified
Jun 5, 2024
Vulnerability Reserved.
Oct 5, 2023

Collectors

NVD DatabaseMitre Database

Credit

Duc Manh