CVE-2022-3634 - How Contact Form 7 Database Addon Plugin for WordPress Exposed Sites to CSV Injection Attacks

If you use WordPress, chances are you rely on plugins to extend your website’s features. One popular plugin, Contact Form 7 Database Addon – CFDB7, lets you store Contact Form 7 form submissions in your database and export them, usually as CSV files. However, before version 1.2.6.5, this plugin had a serious security flaw: CVE-2022-3634. Attackers could inject formulas into spreadsheet exports, potentially compromising site owners and anyone who opened those files.

Let’s dive into what CSV injection is, how this vulnerability works, and what you can do about it.

What is CSV Injection?

CSV (Comma-Separated Values) files are a common way to export tabular data. Most people open them with Microsoft Excel, Google Sheets, or similar programs. The problem? Some spreadsheet software, like Excel, will interpret cells starting with =, +, -, or @ as formulas.

An attacker could submit a form with a name like =cmd|'/C calc'!A, and when you export submissions and open the file in Excel, it would trigger the formula. If an attacker sneaks in a payload like =HYPERLINK("malicious-website.com"), or worse, a formula that abuses Excel’s capabilities, they could trick users or attempt further attacks.

Vulnerability Details

CVE-2022-3634 refers to the vulnerability in Contact Form 7 Database Addon (CFDB7) before version 1.2.6.5 where:

User-submitted form data was not sanitized or validated before being exported.

- When form entries containing formula-injecting data were exported, spreadsheet software could execute the content as a formula.

Official advisory:  
- Wordfence Advisory
- Patchstack Vulnerability Details

How an attack works

1. Submit malicious data: An attacker fills out your Contact Form 7 form, setting their name (or any other field) to a string that begins with =, +, -, or @.

`

Name: =HYPERLINK("http://malicious.com","Click Me!")

`

2. Export the submissions: The site owner (or admin) downloads the submissions as a CSV file using the CFDB7 plugin's export feature.

Open in spreadsheet: The exported CSV file is opened in Excel.

4. Formula interprets: The malicious cell is interpreted as a formula. Depending on the payload, it could:

Vulnerable Code Explained

The problem was that threatening user input wasn’t neutralized during export. Here’s a simplified snippet to show what went wrong:

// Example of what could happen in vulnerable version
foreach($fields as $field){
    $row[] = $submission[$field]; // No sanitization
}
fputcsv($csvFile, $row);

What should’ve happened?
Data should be sanitized so it doesn’t start any cell with =, +, -, or @.

function escapeForCSV($value) {
    if (preg_match('/^=|\+|-|@/',$value)) {
        // Neutralize formula injection
        return "'".$value;
    }
    return $value;
}

// Safer export logic
foreach($fields as $field){
    $row[] = escapeForCSV($submission[$field]);
}
fputcsv($csvFile, $row);

Name:

=HYPERLINK("https://evil.com","Please click")

Message:

+cmd|'/C calc'!A

You open the CFDB7 dashboard and export entries. The downloaded CSV looks like this

Name,Email,Message
"=HYPERLINK(""https://evil.com"",""Please click"")",test@evil.com,+cmd|'/C calc'!A

3. Victim Opens CSV in Excel

Excel will treat those cells as formulas, potentially making clicking them dangerous, or even running further exploit chains if macros are enabled.

Protection and Fix

- Update: The plugin maintainers fixed this in version 1.2.6.5 and above (changelog).

Input Sanitization: Always check and sanitize export code in your own plugins or themes.

- User Guidance: Warn users that exporting untrusted data to CSV could be hazardous if opened in Excel/Sheets.
- Sanitize Output: If you're exporting custom fields, escape cells starting with =, +, @, or - with a single quote (').

Further Reading & References

- Original Wordfence Advisory
- Official CVE Entry: CVE-2022-3634
- CSV Injection - OWASP
- Contact Form CFDB7 Plugin

Conclusion

WordPress plugins make life easier, but even popular ones can harbor nasty bugs like CSV injection. These attacks are dangerous because they target the people who trust you most—your admins. Always keep plugins up-to-date and remember: CSVs aren’t just spreadsheets, they can be a vector for attacks!

If you’re curious, Patchstack’s database contains more technical details about CVE-2022-3634.

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:47:00 UTC