WordPress Business Directory Plugin CSV Injection Vulnerability (CVE-2023-5527) Analysis

### Vulnerability Overview * **CVE ID**: CVE-2023-5527 * **Vulnerability Name**: Business Directory Plugin – CSV Injection * **Vulnerability Type**: CSV Injection (also known as Formula Injection), classified under OWASP TOP-10 A7: Cross-Site Scripting (XSS). * **Description**: This vulnerability exists in the `class-csv-exporter.php` file, which is responsible for exporting directory data in CSV format. Attackers can embed malicious inputs into directory fields; when these data are exported to a CSV file by an administrator and opened locally, it may lead to malicious code execution. ### Scope of Impact * **Affected Plugin**: Business Directory Plugin for WordPress * **Affected Versions**: 6.4.3 and below (Version < 6.4.4) * **Active Installs**: Over 10,000 * **Publication Date**: June 9, 2024 ### POC / Exploitation Method Exploiting this vulnerability requires the attacker to have author-level or higher privileges. The specific steps are as follows: 1. **Payload Injection**: The attacker inputs a malicious formula into a directory field. * **Example Payload**: `HYPERLINK("http://malicious.site")` 2. **CSV Export**: The site administrator exports the directory containing the malicious data as a CSV file. 3. **File Opening**: The administrator opens the CSV file using a vulnerable spreadsheet application (such as Microsoft Excel or LibreOffice Calc) on their local system. 4. **Code Execution**: The malicious formula is interpreted and executed, potentially leading to opening a remote URL or executing scripts. ### Remediation 1. **Input Validation**: Implement strict input validation to sanitize and escape all user-provided data before it is included in a CSV export. 2. **Security Updates**: Regularly update the Business Directory Plugin and all other plugins to ensure known vulnerabilities are patched. 3. **User Privileges**: Limit the number of users with author-level or higher privileges, ensuring only trusted individuals hold these permissions. 4. **Spreadsheet Application Security**: Educate administrators to disable automatic formula execution in spreadsheet applications and use CSV viewers that do not interpret formulas.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Business Directory Plugin CSV Injection Vulnerability (CVE-2023-5527) Analysis