2.10.32

CVSS 9.6 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

contact-form-7-to-database-extension-project

CWE-1236

critical

exploit available

NVD

Published: 2018-04-04

Updated: 2020-08-24

Summary

CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.

Vulnerable Configurations

Part	Description	Count
Application	Contact-Form-7-To-Database-Extension_Project Contact Form 7 TO Database Extension Project Contact Form 7 TO Database Extension 2.10.30 Contact Form 7 TO Database Extension Project Contact Form 7 TO Database Extension 2.10.31 Contact Form 7 TO Database Extension Project Contact Form 7 TO Database Extension 2.10.32	3

Common Weakness Enumeration (CWE)

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

Exploit-Db

description	WordPress Plugin Contact Form 7 to Database Extension 2.10.32 - CSV Injection. CVE-2018-9035. Webapps exploit for PHP platform
file	exploits/php/webapps/44367.txt
id	EDB-ID:44367
last seen	2018-05-24
modified	2018-03-30
platform	php
port	80
published	2018-03-30
reporter	Exploit-DB
source	https://www.exploit-db.com/download/44367/
title	WordPress Plugin Contact Form 7 to Database Extension 2.10.32 - CSV Injection
type	webapps

Packetstorm

data source	https://packetstormsecurity.com/files/download/146988/wpcf7de21032-csvinject.txt
id	PACKETSTORM:146988
last seen	2018-04-03
published	2018-03-31
reporter	Stefan Broeder
source	https://packetstormsecurity.com/files/146988/WordPress-Contact-Form-7-To-Database-Extension-2.10.32-CSV-Injection.html
title	WordPress Contact Form 7 To Database Extension 2.10.32 CSV Injection

References

https://www.exploit-db.com/exploits/44367/