Cleantalk has discovered a CSV Injection vulnerability in WordPress Quick Contact Form Plugin.

Quick Contact Form is a plugin that allows you to create multiple different contact forms. It has over 3,000+ active installations.

CSV Injection allows any user to inject a command (formulas) that will be included in the exported CSV file, leading to possible code execution or information disclosure. The injection occurs in the feedback form fields.

Steps to reproduce

  1. Submit the payload in any field of a published form (any user can do this). For example, ‘;=4+4;’.
  2. Login as an admin, Go to Quick Contact Form (/wp-admin/admin.php?page=quick-contact-form-messages) and click “Export to CSV”.
  3. Open the file to see the payload getting executed.

Cleantalk reported the vulnerability to Fullworks Digital Ltd and it has been fixed since version

CSV injection is a popular vulnerability in contact form plugins. When implementing the spreadsheet export feature, it is important to follow the input sanitization and filtration guidelines described in OWASP and

Cleantalk discovers WordPress Quick Contact Form Plugin CSV Injection Vulnerability
Tagged on:             

Leave a Reply

Your email address will not be published. Required fields are marked *

Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
Protected by CleanTalk Anti-Spam