Fortinet Discovers WordPress Newsletter Plugin CSV Injection Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a CSV Injection vulnerability in WordPress Newsletter plugin.
Newsletter Plugin is a popular newsletter and email marketing system for any Wordpress blog. It offers several custom features and free addons. The plugin has over 300,000+ active installations.
A CSV Injection vulnerability was discovered in Wordpress Newsletter plugin. It allows a user with low level privileges or no privileges to inject a command in subscription form that will be included in the exported CSV file, leading to possible code execution.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.Newsletter.Plugin.CSV.Injection
Released Mar 16, 2020
Users should update to the latest version 6.5.4.
Timeline
Fortinet reported the vulnerability to the Newsletter Plugin Team on March 05, 2020
The Newsletter Plugin team confirmed the vulnerability on March 06, 2020
The Newsletter Plugin Team patched the vulnerability on March 09, 2020