Plugin Exploit

CSV Injection in Export Users to CSV WordPress Plugin <= 1.4.2

Updated on: June 10, 2021

CSV Injection in Export Users to CSV WordPress Plugin <= 1.4.2

Export Users to CSV is a WordPress plugin that allows website owners/admins to export users list and metadata in a CSV file. While testing the plugin, I was able to find that it is vulnerable to CSV Injection.

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for performing attacks.


CVE ID: CVE-2020-9466


An attacker can register themselves as a subscriber in a WordPress website and provide malicious payloads (formula) into the user account details field. When an authenticated admin uses the Export Users to CSV plugin to export the details of all the users into a CSV file and open it, the payload gets executed and can lead to unintended actions such as redirections to unknown/harmful websites.


Vulnerability reported to the Export Users to CSV team – February 08, 2020


From our efforts to reach the plugin developer, it looks like this plugin is not being actively developed. Until an update fixing the issue is released, it is recommended that users seek out an alternative plugin.


Was this post helpful?

Tags: , , , , , ,

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany