Login Sign Up

CVE-2023-41798

8.8 HIGH

📋 TL;DR

This CVE describes a CSV injection vulnerability in the Directorist WordPress plugin. Attackers can embed malicious formulas in CSV files that execute when opened in spreadsheet applications like Excel, potentially leading to command execution or data theft. WordPress sites using Directorist plugin versions up to 7.7.1 are affected.

💻 Affected Systems

Products:
  • Directorist – WordPress Business Directory Plugin with Classified Ads Listings
Versions: n/a through 7.7.1
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the CSV export functionality to be enabled and used.

📦 What is this software?

Directorist by Wpwax

View all CVEs affecting Directorist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on client machines when users open malicious CSV exports, potentially leading to full system compromise, data exfiltration, or ransomware deployment.

🟠

Likely Case

Formula execution in spreadsheet applications leading to data manipulation, local file access, or execution of local commands on the user's system.

🟢

If Mitigated

Limited impact if users don't open CSV files in vulnerable spreadsheet applications or if proper input validation is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening CSV file) and typically requires some level of access to generate or upload CSV files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.7.2 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/directorist/wordpress-directorist-plugin-7-7-0-csv-injection

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Directorist plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable CSV Export

all

Temporarily disable CSV export functionality in plugin settings to prevent exploitation.

Input Sanitization

all

Implement custom input validation to sanitize CSV output by escaping formula characters (=, +, -, @).

🧯 If You Can't Patch

  • Restrict CSV export functionality to trusted administrators only
  • Educate users to never open CSV files directly in spreadsheet applications; use text editors or import with data validation

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Directorist version. If version is 7.7.1 or earlier, you are vulnerable.

Check Version:

wp plugin list --name=directorist --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify Directorist plugin version is 7.7.2 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • CSV export requests with suspicious payloads in parameters
  • User reports of unexpected spreadsheet behavior

Network Indicators:

  • CSV file downloads containing formula characters at start of fields

SIEM Query:

source="wordpress" AND ("directorist" OR "csv_export") AND ("=" OR "+" OR "-" OR "@")

📊 Metadata

CVE ID: CVE-2023-41798
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1236
Published: November 7, 2023
Last Updated: February 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41798, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)