Fortinet's FortiGuard Labs has discovered a CSV / Macro Injection vulnerability in the WordPress Events Manager plugin.
Events Manager is a full-featured event registration plugin for WordPress based on the principles of flexibility, reliability and powerful features. The plugin has over 100,000+ active installations and offers a PRO version with extended support.
A CSV Injection vulnerability was discovered in Events Manager Plugin version 188.8.131.52. It allows an unauthenticated or a low privileged user to inject OS command that will be included in the exported CSV file, leading to possible command/code execution.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Feb 05, 2020
Update the plugin toÂ the latest version -Â EVENTS MANAGER 184.108.40.206 & PRO 220.127.116.11.
Fortinet reported the vulnerability to WP Events Plugin Team on February 04, 2020.
WP Events Plugin team confirmed the vulnerability onÂ Â February 04, 2020.
WP Events Plugin teamÂ patched the vulnerability onÂ February 05, 2020.