CVE-2023-5527

Business Directory Plugin <= 6.4.3 - Authenticated (Author+) CSV Injection

Description

The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

References

Link	Tags
https://www.wordfence.com/threat-intel/vulnerabilities/id/ed037e94-68b4-4efc-9d1a-fffc4aff1c45?source=cve	third party advisory
https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/class-csv-exporter.php	product
https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php	product
https://plugins.trac.wordpress.org/changeset/3102475/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php	product

Frequently Asked Questions

What is the severity of CVE-2023-5527?: CVE-2023-5527 has been scored as a high severity vulnerability.
How to fix CVE-2023-5527?: To fix CVE-2023-5527, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-5527 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-5527 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-5527?: CVE-2023-5527 affects strategy11team Business Directory Plugin – Easy Listing Directories for WordPress.

Description

Category

CWE-1236 – Improper Neutralization of Formula Elements in a CSV File

References

Frequently Asked Questions