Export Users to CSV is a WordPress plugin that allows website owners/admins to export users list and metadata in a CSV file. While testing the plugin, I was able to find that it is vulnerable to CSV Injection.
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for performing attacks.
— OWASP
Impact
An attacker can register themselves as a subscriber in a WordPress website and provide malicious payloads (formula) into the user account details field. When an authenticated admin uses the Export Users to CSV plugin to export the details of all the users into a CSV file and open it, the payload gets executed and can lead to unintended actions such as redirections to unknown/harmful websites.
Timeline
- Vulnerability reported to the Export Users to CSV team – February 08, 2020
Recommendation
From our efforts to reach the plugin developer, it looks like this plugin is not being actively developed. Until an update fixing the issue is released, it is recommended that users seek out an alternative plugin.