Vulnerabilities > CVE-2019-17661 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Admincolumns Admin Columns 3.4.6

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

admincolumns

CWE-1236

NVD

Published: 2019-11-08

Updated: 2024-10-15

Summary

A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. By choosing formula code as his first or last name, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.

Vulnerable Configurations

Part	Description	Count
Application	Admincolumns Admincolumns Admin Columns 3.4.6	1

Common Weakness Enumeration (CWE)

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

References

https://www2.deloitte.com/de/de/pages/risk/articles/wordpress-csv-injection.html