Wordpress CSV Injection

Background

We discovered a security issue within the WordPress plugin “Admin Columns” from Codepress, a software for content management. An attacker can input malicious formula data due to a lack of sufficient input filtering. This allows attacking clients who export the data as a csv file and open it via tools like Microsoft Excel or LibreOffice Calc. The attacker can infect users with malware and gain control over their host computers, if the malicious code is executed successfully.

Steps to Reproduce

Upon creating a new user account, a malicious user is able to put formula code into the "First Name" and “Last Name” fields. Users that are authorized could export and download all the accounts registered at the system as a CSV file. If the infected CSV file is opened with Microsoft Excel, the malicious formula code will be executed. In this example, the First Name = cmd |' / C calc '!A0 was involved in an action. In excel the formula is interpreted and executed by Excel.

Root Cause

This issue exists due to insufficient input filtering. In order to mitigate the issue, we recommend sanitizing cells that begin with any special character that might trigger the creation of a formula such as "=", "+", "@" or "-", by prepending a single quote or apostrophe (') character to it, in order to avoid the content of the cell being interpreted as a formula.

Fix

The issue was reported to WordPress but according to them this behaviour does not present a security risk to the application and no fix is planned.
We were able to successfully replicate the issue in the following releases:

• WordPress version 5.2.3
• WordPress version 5.0.3
• WordPress version 4.8.3

According to Codepress, WordPress with version higher than 4.5 is needed in order to install the plugin “Admin Columns” with version 3.4.6.

Credit

Credit for finding and reporting the issue:

Evgeni Sabev (Deloitte)