CVE-2023-23796 – This CSV injection vulnerability in the Form Bu... (How to Fix)

Q: What is the severity of CVE-2023-23796?

CVE-2023-23796 has a CVSS score of 9.8 (CRITICAL). This CSV injection vulnerability in the Form Builder WordPress plugin allows attackers to inject malicious formulas into exported CSV files. When opened in spreadsheet applications like Excel, these formulas can execute arbitrary commands, potentially compromising user systems. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This CSV injection vulnerability in the Form Builder WordPress plugin allows attackers to inject malicious formulas into exported CSV files. When opened in spreadsheet applications like Excel, these formulas can execute arbitrary commands, potentially compromising user systems. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Form Builder | Create Responsive Contact Forms WordPress plugin

Versions: n/a through 1.9.9.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin's form export functionality to be used. WordPress multisite installations may also be affected.

📦 What is this software?

Form Builder by Web Settler

View all CVEs affecting Form Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on victim's computer when they open a malicious CSV file, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Formula execution in spreadsheet applications leading to data exfiltration, system information disclosure, or execution of local commands.

🟢

If Mitigated

Limited impact if CSV files are opened in applications that sanitize formula input or if users are trained to not open untrusted CSV files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening CSV file) but the injection itself is straightforward. Attackers need access to form submission data or ability to submit forms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.9.1

Vendor Advisory: https://patchstack.com/database/vulnerability/contact-form-add/wordpress-form-builder-create-responsive-contact-forms-plugin-1-9-9-0-csv-injection-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Form Builder | Create Responsive Contact Forms'. 4. Click 'Update Now' if available, or download version 1.9.9.1+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable CSV Export

all

Temporarily disable CSV export functionality in plugin settings

CSV Sanitization Filter

all

Add custom filter to sanitize CSV output before download

Add to theme's functions.php: add_filter('form_builder_csv_output', 'sanitize_csv_formulas'); function sanitize_csv_formulas($data) { return preg_replace('/^[=+\-@]/', "'", $data); }

🧯 If You Can't Patch

Disable the Form Builder plugin entirely and use alternative form plugins
Implement web application firewall rules to block CSV formula injection patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for 'Form Builder | Create Responsive Contact Forms' version 1.9.9.0 or earlier

Check Version:

wp plugin list --name='Form Builder' --field=version

Verify Fix Applied:

Verify plugin version is 1.9.9.1 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

CSV export requests with unusual parameters
Form submissions containing formula characters (=, +, -, @)

Network Indicators:

CSV file downloads from form export endpoints
Unusual outbound connections after CSV downloads

SIEM Query:

source="wordpress" AND (url="*export-csv*" OR url="*download-csv*") AND (form_data="=*" OR form_data="+*" OR form_data="-*" OR form_data="@*")

📊 Metadata

CVE ID: CVE-2023-23796

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1236

Published: November 7, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23796, you might also want to check these: