CVE-2019-15092 WordPress Plugin Import Export Users = 1.3.0 - CSV Injection
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
- Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014–3524.
- Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website.
- Exfiltrating contents from the spreadsheet, or other open spreadsheets.
A malicious user with the basic WordPress permissions (subscriber) could take advantage of the CSV Injection vulnerability of the plugin to modify the fields name, surname, alias or display name publicly with a malicious load to execute commands on the administrator’s computer.
CSV injections are usually taken very seriously by numerous companies.
- Uber: https://hackerone.com/reports/126109
- HackerOne: https://hackerone.com/reports/72785
- HackerOne: https://hackerone.com/reports/124223
- New Relic: https://hackerone.com/reports/127032
Proof of Concept
- Login with subscriber user and change the fields First name, Surname and Alias (this payload downloads and executes with PowerShell a malicious file in administrator`s computer from a web server).
2. Login with administrator user and export all users to CSV.
3. If you open the file with Microsoft Office, you will see that the field begins with the character ‘=’ followed by the PowerShell command.
This attack is very easy to mitigate, to remediate it, when generating the CSV file ensure that no cells begin with any of the following characters:
- Equals to (“=”)
- Plus (“+”)
- Minus (“-”)
- At (“@”)
The function do_export() from WF_CustomerImpExpCsv_Exporter class does not check if fields beggings with (=, +, -, @) characters.
- 15, august 2019 - 👨💻 Discover
- 15, august 2019 - 👨💻 Report to Webtoffee support
- 16, august 2019 - 👨💼 More information request
- 16, august 2019 - 👨💻 Detailed vulnerability report
- 19, august 2019 - 👨💼 Unrecognized vulnerability
- 22, august 2019 - 👨💻 Public disclosure