CVE-2019-17661

Name of the Vulnerable Software and Affected Versions codepress-admin-columns plugin version 3.4.6

Description A CSV injection in the codepress-admin-columns plugin for WordPress allows malicious users to gain remote control of other computers. By choosing formula code as their first or last name, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.

Recommendations For version 3.4.6, consider updating to a newer version to mitigate the risk, however, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the ability to create users with names that contain formula code to minimize the risk of exploitation.