WordPress Plugin Form Maker 1.12.20 CVE-2018-10504 – CSV Injection

Authors:Sairam Jetty        Risk:High

CVE:CVE-2018-10504         0day:CSV Injection

0day -id:0DAY-176126        Date:2018-05-02

Description

 

Custom Forms version 1.12.20 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.

Application

Form Maker provides a framework to build custom forms for Joomla users.

POC

Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
When high privileged user logs into the application to export form data in CSV and opens the file.
Formula gets executed and calculator will get popped in his machine.

Solution

Upgrade to version 1.12.24
https://wordpress.org/plugins/form-maker/

Reference

Form Maker by WD – user-friendly drag & drop Form Builder plugin

Leave a Reply