CVE-2023-5424

HIGH Year: 2023
CVSS v3 Score
8.8
High
Weakness Type
CWE-1236
View all →

Vulnerability Description

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Related Vulnerabilities

CVE-2018-10255

HIGH
CVSS:8.8(High)

A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, lead...

CWE-12362018

CVE-2018-10257

HIGH
CVSS:8.8(High)

A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading ...

CWE-12362018

CVE-2018-10258

HIGH
CVSS:8.8(High)

A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to pos...

CWE-12362018

CVE-2018-20468

HIGH
CVSS:8.8(High)

An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A web reports module has "export to excel features" that are vulnerable to CSV injection. An attacker can embed Excel formulas inside ...

CWE-12362018

CVE-2018-7201

HIGH
CVSS:8.8(High)

CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.

CWE-12362018

CVE-2018-7304

HIGH
CVSS:8.8(High)

Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demo...

CWE-12362018