CVE-2021-24441
Sign-up Sheets < 1.0.14 - Authenticated CSV Injection
In short
The Sign-up Sheets WordPress plugin failed to properly clean user input in sheet titles before creating CSV exports, allowing attackers to inject malicious formulas into downloaded files.
Technical detail
An authenticated attacker can inject CSV formula code via the sheet title parameter, which is directly embedded into exported CSV files without sanitization. When a victim opens the malicious CSV in a spreadsheet application, the formula executes with the privileges of that user.
Summary generated and translated by AI from the official description.
The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue
Affected products
Unknown · Sign-up SheetsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →