CVE-2022-38702
📋 TL;DR
This vulnerability allows authenticated WordPress users with export permissions to inject malicious formulas into CSV files exported via the WP CSV Exporter plugin. When these CSV files are opened in spreadsheet applications like Excel or LibreOffice, the formulas can execute arbitrary commands on the victim's computer. This affects all WordPress sites using vulnerable versions of the WP CSV Exporter plugin.
💻 Affected Systems
- Nakashima Masahiro WP CSV Exporter WordPress Plugin
📦 What is this software?
Csv Exporter by Kigurumi
⚠️ Risk & Real-World Impact
Worst Case
An attacker with authenticated access could create CSV files containing malicious formulas that execute arbitrary code on victims' computers when opened, potentially leading to full system compromise of anyone who opens the infected CSV.
Likely Case
Authenticated attackers inject formulas that execute commands or scripts on victims' computers, potentially stealing credentials, installing malware, or accessing sensitive data from users who open the CSV files.
If Mitigated
With proper access controls limiting export permissions and user education about CSV file risks, impact is limited to potential data manipulation within spreadsheets rather than code execution.
🎯 Exploit Status
Exploitation requires authenticated access to WordPress with export permissions. CSV injection techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.0
Vendor Advisory: https://patchstack.com/database/vulnerability/wp-csv-exporter/wordpress-wp-csv-exporter-plugin-1-3-6-authenticated-csv-injection-vulnerability
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP CSV Exporter. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove plugin, then install latest version from WordPress repository.
🔧 Temporary Workarounds
Restrict Export Permissions
allLimit CSV export capabilities to only trusted administrators
Disable Plugin
linuxTemporarily disable WP CSV Exporter plugin until patched
wp plugin deactivate wp-csv-exporter
🧯 If You Can't Patch
- Remove export permissions from all non-essential users
- Educate users to never open CSV files from untrusted sources in spreadsheet applications
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → WP CSV Exporter version. If version is 2.0 or earlier, you are vulnerable.Check Version:
wp plugin get wp-csv-exporter --field=versionVerify Fix Applied:
Verify plugin version is higher than 2.0 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual CSV export activity from non-admin users
- Multiple CSV export requests in short time
Network Indicators:
- CSV file downloads containing formula patterns like =cmd|' /C
- CSV files with leading characters: +, -, =, @
SIEM Query:
source="wordpress" AND ("csv export" OR "wp-csv-exporter") AND user_role!="administrator"🔗 References
- https://patchstack.com/database/vulnerability/wp-csv-exporter/wordpress-wp-csv-exporter-plugin-1-3-6-authenticated-csv-injection-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/wp-csv-exporter/wordpress-wp-csv-exporter-plugin-1-3-6-authenticated-csv-injection-vulnerability?_s_id=cve
