Vulnerabilities > CVE-2020-9372 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Codepeople Appointment Booking Calendar

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
codepeople
CWE-1236

Summary

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.

Vulnerable Configurations

Part Description Count
Application
Codepeople
211

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/156694/wpbookingcalendar1334-csvinject.txt
idPACKETSTORM:156694
last seen2020-03-13
published2020-03-12
reporterDaniel Monzon
sourcehttps://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html
titleWordPress Appointment Booking Calendar 1.3.34 CSV Injection