Fortinet Discovers WordPress Newsletter Plugin CSV Injection Vulnerability
Fortinet's FortiGuard Labs has discovered a CSV Injection vulnerability in WordPress Newsletter plugin.
Newsletter Plugin is a popular newsletter and email marketing system for any Wordpress blog. It offers several custom features and free addons. The plugin has over 300,000+ active installations.
A CSV Injection vulnerability was discovered in Wordpress Newsletter plugin. It allows a user with low level privileges or no privileges to inject a command in subscription form that will be included in the exported CSV file, leading to possible code execution.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Mar 16, 2020
Users should update to the latest version 6.5.4.
Fortinet reported the vulnerability to the Newsletter Plugin Team on March 05, 2020
The Newsletter Plugin team confirmed the vulnerability on March 06, 2020
The Newsletter Plugin Team patched the vulnerability on March 09, 2020