CVE-2023-5424

EPSS 2.49%
Veröffentlicht 07.06.2024 10:15:10
Zuletzt bearbeitet 21.11.2024 08:41:44
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Mögliche Gegenmaßnahme

WS Form LITE – Drag & Drop Contact Form Builder: Update to version 1.9.218, or a newer patched version

WS Form Pro: Update to version 1.9.218, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WS Form LITE – Drag & Drop Contact Form Builder

Version * - 1.9.217

SystemWordPress Plugin

≫

Produkt WS Form Pro

Version * - 1.9.217

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Westguardsolutions ≫ Ws Form SwEditionlite SwPlatformwordpress Version < 1.9.218

Westguardsolutions ≫ Ws Form SwEditionpro SwPlatformwordpress Version < 1.9.218

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.49%	0.848

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security@wordfence.com	4.7	1.6	2.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-1236 Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098265%40ws-form&new=3098265%40ws-form&sfp_email=&sfph_mail=

Patch

https://wsform.com/changelog/?utm_source=wp_plugins&utm_medium=readme

Release Notes

https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-5424

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-5424

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-5424

EUVD