CVE-2019-17661
CVE-2019-17661
In short
An attacker can embed malicious formulas in user names within the Admin Columns plugin, which get exported in CSV files. When a victim opens the CSV in Excel or similar tools, the formula executes and can compromise their computer.
Technical detail
CSV injection vulnerability in Admin Columns 3.4.6 allows authenticated attackers to inject formula code (e.g., =cmd|'/c calc'!A0) into user name fields. When administrators export user data as CSV and open it in spreadsheet applications, the formula executes with the privileges of the user, potentially enabling remote code execution on the victim's system.
Summary generated and translated by AI from the official description.
A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. By choosing formula code as his first or last name, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →