CVE-2020-36503
Connections Business Directory < 9.7 - Admin+ CSV Injection
In short
The Connections Business Directory WordPress plugin before version 9.7 fails to properly validate or clean user input in certain fields, allowing attackers with admin or higher privileges to inject malicious code into CSV exports that could execute when opened in spreadsheet applications.
Technical detail
CSV injection vulnerability in Connections Business Directory < 9.7 where insufficient input validation on specific connection fields permits authenticated admin+ users to craft payloads that execute formulas when exported CSV files are processed by spreadsheet applications like Excel or LibreOffice. Attack requires admin or elevated privileges to inject malicious content into connection records.
Summary generated and translated by AI from the official description.
The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue
Affected products
Unknown · Connections Business DirectoryWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →