Vulnerabilities > CVE-2020-9372 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Codepeople Appointment Booking Calendar
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/156694/wpbookingcalendar1334-csvinject.txt |
| id | PACKETSTORM:156694 |
| last seen | 2020-03-13 |
| published | 2020-03-12 |
| reporter | Daniel Monzon |
| source | https://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html |
| title | WordPress Appointment Booking Calendar 1.3.34 CSV Injection |
References
- https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
- https://wordpress.org/plugins/appointment-booking-calendar/#developers
- https://www.hotdreamweaver.com/support/view.php?id=815925
- http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html