A critical vulnerability (CVE-2022-3603) has been identified in the popular Export Customers List CSV for WooCommerce, WordPress Users CSV, and Export Guest Customer List WordPress plugins. This security flaw lies in the plugin's improper handling of data validation when exporting CSV files, causing it to be susceptible to CSV Injection attacks. The affected plugin versions are those before 2..69. This article explains the issue in detail, provides a code snippet, and shares links to the original references. It also outlines potential exploit scenarios and emphasizes the need to mitigate this vulnerability right away.

Details of the Vulnerability

The vulnerability stems from the fact that the plugin doesn't adequately validate the data before exporting it to a CSV file. As a result, attackers could tamper with cell data and insert custom malicious formulas that would execute upon opening the file. This type of attack, known as CSV Injection or Formula Injection, can have serious consequences, including data breaches, unauthorized data manipulation, or even complete system compromise.

The following is a code snippet demonstrating the vulnerability

function export_csv() {
  header('Content-Type: text/csv');
  header('Content-Disposition: attachment; filename="customer-data.csv"');
  foreach ($data as $row) {
    fputcsv($output, $row); // No validation is performed on $row data before being written to the CSV file

Exploit Scenario

In the wild, an attacker could exploit this vulnerability by adding a malicious payload to a user's data (e.g., Name, Billing Address, etc.) within the WooCommerce, WordPress users or Guest customer lists. When an admin or a user with the necessary privileges exports the customer data using the vulnerable plugin, the harmful formula would be injected into the CSV file. Opening the weaponized CSV file in a spreadsheet application such as Microsoft Excel, Google Sheets, or LibreOffice Calc could potentially lead to the execution of the attacker-supplied code or trigger other unintended side effects.

Mitigating the Vulnerability

Users running any version of the Export Customers List CSV for WooCommerce, WordPress Users CSV, and Export Guest Customer List WordPress plugins before version 2..69 should immediately update to the latest version. This will ensure they are protected against this critical vulnerability (CVE-2022-3603).

It is also recommended that webmasters and system administrators exercise caution when opening CSV files and use strong security measures, such as robust security plugins, frequent software updates, and limiting user privileges, to minimize the risk of potential attacks.

Original References

The vulnerability was initially disclosed through a private submission to the WordPress plugin repository. Further details can be found in the official change logs of the Export Customers List CSV for WooCommerce (https://wordpress.org/plugins/export-customers-list-csv-woocommerce/#developers), WordPress Users CSV (https://wordpress.org/plugins/wp-users-csv-woogive/#developers), and Export Guest Customer List WordPress (https://wordpress.org/plugins/export-guest-customer-list/#developers) plugins.


The discovery of this critical vulnerability (CVE-2022-3603) highlights the importance of performing regular security audits and updating software to protect your business from potential attacks. If you make use of the Export Customers List CSV for WooCommerce, WordPress Users CSV, and Export Guest Customer List WordPress plugins, take action now and ensure your installation is up to date with the latest patches. Stay vigilant and prioritize your online security to safeguard your data and users.


Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 15:15:00 UTC