Export Users to CSV <= 1.1.1 - CSV Injection



Description
WordPress Export users to CSV plugin version 1.1.1. and before are affected by Remote Code Execution through the CSV injection vulnerability. This allows an application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine.
Proof of Concept
1. Enter the payload =SUM(1+1)*cmd|' /C calc'!A0 in any field of the profile, for example, in biography.

2. When the user with high privileges logs in to the application, export data in CSV and opens the generated file, the command is executed and the calculator will run open on the machine.

Affects Plugin

no known fix
- plugin closed

References

CVE 2018-15571
ExploitDB 45206
URL https://hackpuntes.com/cve-2018-15571-wordpress-plugin-export-users-to-csv-1-1-1-csv-injection/

Classification

Type UNKNOWN

Miscellaneous

Submitter Javier Olmedo
Submitter Website https://hackpuntes.com
Submitter Twitter JJavierOlmedo
Views 8920
Verified No
WPVDB ID 9119

Timeline

Publicly Published 2018-08-16 (almost 2 years ago)
Added 2018-08-28 (almost 2 years ago)
Last Updated 2019-11-01 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin