Fortinet Discovers WordPress Events Manager Plugin CSV Injection Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a CSV / Macro Injection vulnerability in the WordPress Events Manager plugin.
Events Manager is a full-featured event registration plugin for WordPress based on the principles of flexibility, reliability and powerful features. The plugin has over 100,000+ active installations and offers a PRO version with extended support.
A CSV Injection vulnerability was discovered in Events Manager Plugin version 5.9.7.1. It allows an unauthenticated or a low privileged user to inject OS command that will be included in the exported CSV file, leading to possible command/code execution.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.Plugin.Events.Manager.CSV.Injection
Released Feb 05, 2020
Update the plugin to the latest version - EVENTS MANAGER 5.9.7.2 & PRO 2.6.7.2.
Timeline
Fortinet reported the vulnerability to WP Events Plugin Team on February 04, 2020.
WP Events Plugin team confirmed the vulnerability on  February 04, 2020.
WP Events Plugin team patched the vulnerability on February 05, 2020.