Export Users to CSV <= 1.1.1 - CSV Injection



Description
WordPress Export users to CSV plugin version 1.1.1. and before are affected by Remote Code Execution through the CSV injection vulnerability. This allows an application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine.
Proof of Concept
1. Enter the payload =SUM(1+1)*cmd|' /C calc'!A0 in any field of the profile, for example, in biography.

2. When the user with high privileges logs in to the application, export data in CSV and opens the generated file, the command is executed and the calculator will run open on the machine.

Affects Plugin

References

CVE 2018-15571
EXPLOITDB 45206
URL https://hackpuntes.com/cve-2018-15571-wordpress-plugin-export-users-to-csv-1-1-1-csv-injection/

Classification

Type UNKNOWN

Miscellaneous

Submitter Javier Olmedo
Submitter Website https://hackpuntes.com
Submitter Twitter JJavierOlmedo
Views 1993
Verified No
WPVDB ID 9119

Timeline

Publicly Published 2018-08-16 (3 months ago)
Added 2018-08-28 (3 months ago)
Last Updated 2018-08-29 (2 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.