Fortinet Discovers WordPress Visual Form Builder Plugin CSV Injection Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a CSV Injection vulnerability in WordPress Visual Form Builder Plugin.
Visual Form Builder is a plugin that allows you to build and manage all kinds of forms for your website in a single place. It has over 50,000+ active installations.
A CSV Injection vulnerability was discovered in WordPress Visual Form Builder Plugin. It allows an user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.Visual.Form.Builder.Plugin.CSV.Injection
Released Jun 06, 2022
Upgrade to version 3.0.7 or higher.
Timeline
Fortinet reported the vulnerability to VFBpro Team on Oct 29, 2021
VFBpro Team confirmed the vulnerability on Nov 3, 2021
VFBpro Team patched the vulnerability on Nov 3, 2021