Export Users to CSV <= 1.4.2 - CSV Injection

An attacker can register themselves as a subscriber in a WordPress website and provide malicious payloads (formula) into the user account details field. When an authenticated admin uses the Export Users to CSV plugin to export the details of all the users into a CSV file and open it, the payload gets executed and can lead to unintended actions such as redirections to unknown/harmful websites.

February 08, 2020 - Report submitted to the developer by researcher
February 26th, 2020 - No update from developer after multiple attempts. Escalated to WP Plugin Team. Release of the advisory.
Proof of Concept The PoC will be displayed once the issue has been remediated.

Affects Plugin

no known fix
- plugin closed


CVE 2020-9466
URL https://www.getastra.com/blog/911/plugin-exploit/csv-injection-in-export-users-to-csv-wordpress-plugin/
URL https://www.jinsonvarghese.com/csv-injection-in-export-users-to-csv-plugin/




Original Researcher Jinson Varghese Behanan
Submitter Jinson Varghese Behanan
Submitter Website https://www.jinsonvarghese.com
Submitter Twitter JinsonCyberSec
Views 3800
Verified No
WPVDB ID 10094


Publicly Published 2020-02-26 (4 months ago)
Added 2020-02-26 (4 months ago)
Last Updated 2020-02-29 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin