CVE-2023-5424

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:westguardsolutions:ws_form:*:*:*:*:lite:wordpress:*:*
cpe:2.3:a:westguardsolutions:ws_form:*:*:*:*:pro:wordpress:*:*

History

21 Nov 2024, 08:41

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098265%40ws-form&new=3098265%40ws-form&sfp_email=&sfph_mail= - Patch () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098265%40ws-form&new=3098265%40ws-form&sfp_email=&sfph_mail= - Patch
References () https://wsform.com/changelog/?utm_source=wp_plugins&utm_medium=readme - Release Notes () https://wsform.com/changelog/?utm_source=wp_plugins&utm_medium=readme - Release Notes
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve - Third Party Advisory
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 4.7

12 Jun 2024, 13:38

Type Values Removed Values Added
CWE CWE-1236
CVSS v2 : unknown
v3 : 4.7
v2 : unknown
v3 : 8.8
First Time Westguardsolutions
Westguardsolutions ws Form
CPE cpe:2.3:a:westguardsolutions:ws_form:*:*:*:*:pro:wordpress:*:*
cpe:2.3:a:westguardsolutions:ws_form:*:*:*:*:lite:wordpress:*:*
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098265%40ws-form&new=3098265%40ws-form&sfp_email=&sfph_mail= - () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098265%40ws-form&new=3098265%40ws-form&sfp_email=&sfph_mail= - Patch
References () https://wsform.com/changelog/?utm_source=wp_plugins&utm_medium=readme - () https://wsform.com/changelog/?utm_source=wp_plugins&utm_medium=readme - Release Notes
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve - Third Party Advisory

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) El complemento WS Form LITE para WordPress es vulnerable a la inyección CSV en versiones hasta la 1.9.217 incluida. Esto permite a atacantes no autenticados incrustar entradas que no son de confianza en archivos CSV exportados, lo que puede provocar la ejecución de código cuando estos archivos se descargan y abren en un sistema local con una configuración vulnerable.

07 Jun 2024, 10:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-07 10:15

Updated : 2024-11-21 08:41


NVD link : CVE-2023-5424

Mitre link : CVE-2023-5424

CVE.ORG link : CVE-2023-5424


JSON object : View

Products Affected

westguardsolutions

  • ws_form
CWE
CWE-1236

Improper Neutralization of Formula Elements in a CSV File