Login Sign Up

CVE-2018-9035

9.6 CRITICAL

📋 TL;DR

This CSV injection vulnerability in the Contact Form 7 to Database Extension plugin allows attackers to embed malicious spreadsheet formulas into exported CSV files. When victims open these files in spreadsheet applications like Excel, the formulas execute, potentially leading to data theft or system compromise. WordPress sites using the vulnerable plugin version are affected.

💻 Affected Systems

Products:
  • Contact Form 7 to Database Extension WordPress plugin
Versions: 2.10.32 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the plugin's CSV export functionality to be enabled and accessible.

📦 What is this software?

Contact Form 7 To Database Extension by Contact Form 7 To Database Extension Project

View all CVEs affecting Contact Form 7 To Database Extension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary code on victim machines when CSV files are opened in vulnerable spreadsheet applications, leading to full system compromise, data exfiltration, or ransomware deployment.

🟠

Likely Case

Attackers inject formulas that steal credentials, personal data, or execute commands when users open exported CSV files in Excel or similar applications.

🟢

If Mitigated

With proper controls, the impact is limited to formula execution within spreadsheet applications only, not server-side code execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires victims to open malicious CSV files in vulnerable spreadsheet applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.33 and later

Vendor Advisory: https://wordpress.org/plugins/contact-form-7-to-database-extension/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Contact Form 7 to Database Extension'. 4. Click 'Update Now' if available, or manually update to version 2.10.33+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable CSV Export

all

Temporarily disable CSV export functionality in plugin settings

Input Sanitization

linux

Add custom validation to sanitize form inputs before CSV export

Add PHP filter: preg_replace('/^[=+@-]/', "'", $input)

🧯 If You Can't Patch

  • Restrict access to CSV export functionality to trusted users only
  • Educate users to never open CSV files from untrusted sources in spreadsheet applications

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins

Check Version:

wp plugin list --name='Contact Form 7 to Database Extension' --field=version

Verify Fix Applied:

Verify plugin version is 2.10.33 or higher and test CSV export with formula payloads

📡 Detection & Monitoring

Log Indicators:

  • CSV export requests with formula characters (=, +, @, -) in form data

Network Indicators:

  • HTTP requests to ExportToCsvUtf8.php with suspicious payloads

SIEM Query:

source="wordpress" AND uri="*ExportToCsvUtf8.php*" AND (form_data="=*" OR form_data="+*" OR form_data="@*")

📊 Metadata

CVE ID: CVE-2018-9035
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-1236
Published: April 4, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-9035, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2019-12765 9.8

This CSV injection vulnerability in Joomla! allows attackers to inject malicious formulas into expor...

Same vulnerability type (CWE-1236)