CVE-2023-5424 Information

Description

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to and including 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve https://wsform.com/changelog/?utm_source=wp_plugins&utm_medium=readme https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098265%40ws-form&new=3098265%40ws-form&sfp_email=&sfph_mail=

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

4.7