CVE-2023-5424

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Weakness

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Affected Software

Name	Vendor	Start Version	End Version
Ws_form	Westguardsolutions	*	1.9.218 (excluding)

Potential Mitigations

References

https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail=
https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme
https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail=
https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme
https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-5424
CWE	https://cwe.mitre.org/data/definitions/1236.html

Improper Neutralization of Formula Elements in a CSV File

Weakness

Affected Software

Potential Mitigations

References