Fortinet Discovers WordPress Wise Chat Plugin CSV Injection Vulnerability
Fortinet's Fortiguard Labs has discovered a CSV Injection vulnerability in WordPress Wise Chat plugin.
Wise Chat is a leading chat plugin that helps to build a social network and to increase user engagement on your website by providing the possibility to exchange real time messages in chat rooms.
A CSV Injection vulnerability was discovered in WordPress Wise Chat Plugin (2.8.3). It allows an user with low level privileges (or unauthenticated) to inject a command in chat messages that will be included in the exported CSV file (via message backup), leading to possible code execution.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released May 08, 2020
Upgrade to the latest version - 2.8.4
Fortinet reported the vulnerability to Wise Chat Team on May 04 2020
Wise Chat Team confirmed the vulnerability on June 17, 2020
Wise Chat Team patched the vulnerability on July 02, 2020