Cleantalk has discovered a CSV Injection vulnerability in WordPress Quick Contact Form Plugin.
Quick Contact Form is a plugin that allows you to create multiple different contact forms. It has over 3,000+ active installations.
CSV Injection allows any user to inject a command (formulas) that will be included in the exported CSV file, leading to possible code execution or information disclosure. The injection occurs in the feedback form fields.
Steps to reproduce
- Submit the payload in any field of a published form (any user can do this). For example, ‘;=4+4;’.
- Login as an admin, Go to Quick Contact Form (/wp-admin/admin.php?page=quick-contact-form-messages) and click “Export to CSV”.
- Open the file to see the payload getting executed.
Cleantalk reported the vulnerability to Fullworks Digital Ltd and it has been fixed since version 8.0.6.7:
- https://plugins.trac.wordpress.org/changeset/2906093
- https://plugins.trac.wordpress.org/browser/quick-contact-form/trunk/changelog.txt
CSV injection is a popular vulnerability in contact form plugins. When implementing the spreadsheet export feature, it is important to follow the input sanitization and filtration guidelines described in OWASP and http://georgemauer.net/2017/10/07/csv-injection.html.
Related posts:
Vulnerability in the CleanTalk Anti-Spam plugin for WordPress
SQL injection in Anti-Spam by CleanTalk for WordPress prior 5.153.4
Security vulnerability in Anti-Spam by CleanTalk for WordPress prior 6.11
Contact Form 7 Spam Protection for WordPress
A minor security vulnerability in Anti-Spam by CleanTalk for WordPress prior 5.171.1
