PT-2018-18797 · WordPress · Contact Form 7 To Database Extension

Stefan Broeder

Published

2018-04-04

Updated

2020-08-24

CVE-2018-9035

CVSS v3.1

9.6

Critical

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Contact Form 7 to Database Extension plugin version 2.10.32

Description The issue allows remote attackers to inject spreadsheet formulas into CSV files via the contact form. This is achieved through a CSV Injection vulnerability in the ExportToCsvUtf8.php file of the plugin.

Recommendations For version 2.10.32, update to a newer version that contains a fix for this issue to prevent remote attackers from injecting malicious spreadsheet formulas into CSV files.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2018-9035

Affected Products

Contact Form 7 To Database Extension

PT-2018-18797 · WordPress · Contact Form 7 To Database Extension

CVE-2018-9035

Weakness Enumeration

Related Identifiers

Affected Products

References · 4