Vulnerabilities > CVE-2020-9372 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Codepeople Appointment Booking Calendar

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.

Vulnerable Configurations

Part Description Count
Application
Codepeople
211

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/156694/wpbookingcalendar1334-csvinject.txt
idPACKETSTORM:156694
last seen2020-03-13
published2020-03-12
reporterDaniel Monzon
sourcehttps://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html
titleWordPress Appointment Booking Calendar 1.3.34 CSV Injection