CVE-2020-9372

HIGH Year: 2020
CVSS v3 Score
7.8
High
CVSS v2 Score
6.8
Medium
Weakness Type
CWE-1236
View all →

Vulnerability Description

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.

Related Vulnerabilities

CVE-2018-10504

HIGH
CVSS:7.8(High)

The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection.

CWE-12362018

CVE-2018-11525

HIGH
CVSS:7.8(High)

The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.

CWE-12362018

CVE-2018-11526

HIGH
CVSS:7.8(High)

The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.

CWE-12362018

CVE-2018-1774

HIGH
CVSS:7.8(High)

IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by ...

CWE-12362018

CVE-2019-11819

HIGH
CVSS:7.8(High)

Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.

CWE-12362019