Description
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
No history.
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-04T10:26:16.042Z
Reserved: 2020-02-24T00:00:00.000Z
Link: CVE-2020-9372
No data.
Status : Modified
Published: 2020-03-04T19:15:13.917
Modified: 2026-06-17T03:27:50.077
Link: CVE-2020-9372
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-1236
Improper Neutralization of Formula Elements in a CSV File