CVE-2023-5527

HIGH Year: 2023
CVSS v3 Score
8.0
High
Weakness Type
CWE-1236
View all →

Vulnerability Description

The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Related Vulnerabilities

CVE-2020-22277

HIGH
CVSS:8.0(High)

Import and export users and customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer's profile.

CWE-12362020

CVE-2020-36503

HIGH
CVSS:8.0(High)

The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue

CWE-12362020

CVE-2020-9017

HIGH
CVSS:8.0(High)

LiteCart through 2.2.1 allows CSV injection via a customer's profile.

CWE-12362020

CVE-2021-23286

HIGH
CVSS:8.0(High)

Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This issue affects: Eaton Intelligent Power Man...

CWE-12362021

CVE-2021-24441

HIGH
CVSS:8.0(High)

The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue

CWE-12362021

CVE-2021-25960

HIGH
CVSS:8.0(High)

In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module ...

CWE-12362021