CVE-2023-5424

EPSS 1.85%
Published 07.06.2024 10:15:10
Last modified 21.11.2024 08:41:44
Source security@wordfence.com
Teams watchlist Login
Open Login

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Westguardsolutions ≫ Ws Form SwEditionlite SwPlatformwordpress Version < 1.9.218

Westguardsolutions ≫ Ws Form SwEditionpro SwPlatformwordpress Version < 1.9.218

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.85%	0.822

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security@wordfence.com	4.7	1.6	2.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-1236 Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098265%40ws-form&new=3098265%40ws-form&sfp_email=&sfph_mail=

Patch

https://wsform.com/changelog/?utm_source=wp_plugins&utm_medium=readme

Release Notes

https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-5424

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-5424

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-5424

EUVD