ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Contact Form 7 to Database Extension plugin 2.10.32 - CSV Injection vulnerability

Product
Contact Form 7 to Database Extension
Description
CSV Injection vulnerability found in WordPress Contact Form 7 to Database Extension plugin (version 2.10.32). Vulnerable file ExportToCsvUtf8.php allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.
Solution
This plugin has been closed and is no longer available for download on WordPress.org, and we suggest to deactivate and delete this plugin from your server asap.
Classification
Type Direct static code injection
OWASP Top 10 A1: Injection
References
Plugin changelog
CVE
Name CVE-2018-9035
Versions
Affected In 2.10.32
Disclosure date
2018-04-09
Credits
Stefan Broeder
Submitter
ThreatPress