In the world of cybersecurity, new vulnerabilities are continually being discovered that put systems and users at risk. One such recent discovery is CVE-2023-5527, which affects the Business Directory Plugin for WordPress. This plugin, widely used by businesses to create and manage directory listings, has over 10,000 active installations. The identified vulnerability allows for CSV Injection, posing a significant security threat that can lead to code execution on local systems when manipulated files are downloaded and opened.

CVECVE-2023-5527
PluginBusiness Directory Plugin < 6.4.4
CriticalHigh
All Time1 656 123
Active installations10 000+
Publicly PublishedJune 9, 2024
Last UpdatedJune 9, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5527
https://wpscan.com/vulnerability/e0e5e4d1-fc10-4d54-844f-ba7c8d590f1c/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

May 6, 2023Plugin testing and vulnerability detection in the Business Directory Plugin have been completed
May 6, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
June 9, 2024Registered CVE-2023-5527

Discovery of the Vulnerability

The vulnerability was found during a routine security audit of the Business Directory Plugin, specifically in versions up to and including 6.4.3. The issue resides in the class-csv-exporter.php file, which is responsible for exporting directory data into CSV format. Attackers with author-level permissions or higher can exploit this vulnerability by embedding malicious input into fields that are later exported as CSV files by administrators. This exploitation can lead to the execution of malicious code when these CSV files are opened on systems with certain vulnerable configurations.

Understanding of Stored XSS attack’s

CSV Injection, also known as Formula Injection, occurs when untrusted input is embedded into a CSV file in such a way that it gets interpreted as a formula by spreadsheet applications like Microsoft Excel or LibreOffice Calc. When the CSV file is opened, the embedded formula is executed, potentially leading to code execution or data manipulation.

In the case of the Business Directory Plugin, an attacker can input data such as =1+1 into a directory field. When this data is exported to a CSV file and later opened in a spreadsheet application, it will be interpreted as a formula and executed, resulting in the display of 2 in the cell. While this example seems harmless, more sophisticated payloads can perform actions like opening a remote URL, which can be used to deliver further exploits.

Exploiting the Stored XSS Vulnerability

Exploiting this vulnerability involves several steps:

POC:

Authentication: The attacker needs to have author-level permissions or higher on the WordPress site.

Payload Injection: The attacker inputs a malicious formula into a directory field. For instance, =HYPERLINK("http://malicious.site").

CSV Export: The site administrator exports the directory data to a CSV file.

File Opening: The exported CSV file is opened by the administrator on a local system with a vulnerable spreadsheet application.

Code Execution: The malicious formula executes, potentially leading to unauthorized actions like opening a remote URL or executing a script.

____

The impact of CSV Injection can vary from simple data manipulation to severe security breaches:

  • Unauthorized Data Access: Attackers can craft payloads that send sensitive data to remote servers.
  • Malicious Script Execution: Embedding scripts that execute upon opening the CSV file can compromise the local system.
  • Business Disruption: Manipulating directory data can lead to incorrect information being displayed, affecting business operations.

Recommendations for Improved Security

To mitigate the risks associated with CSV Injection:

  1. Input Validation: Implement strict input validation to sanitize and escape all user-provided data before it is included in CSV exports.
  2. Security Updates: Regularly update the Business Directory Plugin and all other plugins to their latest versions to ensure any known vulnerabilities are patched.
  3. User Permissions: Limit the number of users with author-level permissions or higher and ensure only trusted individuals have access to these roles.
  4. Spreadsheet Application Security: Educate administrators to disable the automatic execution of formulas in spreadsheet applications and use CSV viewers that do not interpret formulas.

By taking proactive measures to address CSV Injection vulnerabilities like CVE-2023-5527, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #Injection #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2023-5527 – Business Directory Plugin – CSV Injection – POC

Leave a Reply

Your email address will not be published. Required fields are marked *