Cleantalk has discovered a CSV Injection vulnerability in WordPress Quick Contact Form Plugin.
Quick Contact Form is a plugin that allows you to create multiple different contact forms. It has over 3,000+ active installations.
CSV Injection allows any user to inject a command (formulas) that will be included in the exported CSV file, leading to possible code execution or information disclosure. The injection occurs in the feedback form fields.
Steps to reproduce
- Submit the payload in any field of a published form (any user can do this). For example, ‘;=4+4;’.
- Login as an admin, Go to Quick Contact Form (/wp-admin/admin.php?page=quick-contact-form-messages) and click “Export to CSV”.
- Open the file to see the payload getting executed.
Cleantalk reported the vulnerability to Fullworks Digital Ltd and it has been fixed since version 126.96.36.199:
CSV injection is a popular vulnerability in contact form plugins. When implementing the spreadsheet export feature, it is important to follow the input sanitization and filtration guidelines described in OWASP and http://georgemauer.net/2017/10/07/csv-injection.html.