Appointment Booking Calendar, CVE-2020-9372

CVE, Research URL: CVE-2020-9372
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Published on: Mar 05, 2020
Research Description: The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
Affected versions: max 1.3.35.
Status: vulnerable