The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
References
Configurations
History
21 Nov 2024, 08:41
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/class-csv-exporter.php - Product | |
References | () https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php - Product | |
References | () https://plugins.trac.wordpress.org/changeset/3102475/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php - Product | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/ed037e94-68b4-4efc-9d1a-fffc4aff1c45?source=cve - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.4 |
05 Jul 2024, 14:11
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-1236 | |
First Time |
Businessdirectoryplugin business Directory
Businessdirectoryplugin |
|
CPE | cpe:2.3:a:businessdirectoryplugin:business_directory:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.0 |
References | () https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/class-csv-exporter.php - Product | |
References | () https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php - Product | |
References | () https://plugins.trac.wordpress.org/changeset/3102475/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php - Product | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/ed037e94-68b4-4efc-9d1a-fffc4aff1c45?source=cve - Third Party Advisory |
20 Jun 2024, 12:44
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
18 Jun 2024, 06:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-18 06:15
Updated : 2024-11-21 08:41
NVD link : CVE-2023-5527
Mitre link : CVE-2023-5527
CVE.ORG link : CVE-2023-5527
JSON object : View
Products Affected
businessdirectoryplugin
- business_directory
CWE
CWE-1236
Improper Neutralization of Formula Elements in a CSV File