vendor:
Ninja Forms
by:
Mostafa Gharzi
7.5
CVSS
HIGH
CSV Injection
77
CWE
Product Name: Ninja Forms
Affected Version From: 3.3.13
Affected Version To: 3.3.13
Patch Exists: NO
Related CWE:
CPE: a:the_wp_ninjas:ninja_forms:3.3.13
Platforms Tested: Win10x64 & Kali Linux
2018
WordPress Plugin Ninja Forms 3.3.13 – CSV Injection
WordPress Ninja Forms plugin version 3.3.13 and before are affected by Remote Code Execution through the CSV injection vulnerability. This allows an application user to inject commands as part of the fields of forms and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine.
Mitigation:
Update to a patched version of the plugin.