Vulnerabilities > CVE-2020-9372 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Codepeople Appointment Booking Calendar
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/156694/wpbookingcalendar1334-csvinject.txt |
| id | PACKETSTORM:156694 |
| last seen | 2020-03-13 |
| published | 2020-03-12 |
| reporter | Daniel Monzon |
| source | https://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html |
| title | WordPress Appointment Booking Calendar 1.3.34 CSV Injection |
References
- https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
- https://wordpress.org/plugins/appointment-booking-calendar/#developers
- https://www.hotdreamweaver.com/support/view.php?id=815925
- http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html