Fortinet Discovers WordPress Wise Chat Plugin CSV Injection Vulnerability
Summary
Fortinet's Fortiguard Labs has discovered a CSV Injection vulnerability in WordPress Wise Chat plugin.
Wise Chat is a leading chat plugin that helps to build a social network and to increase user engagement on your website by providing the possibility to exchange real time messages in chat rooms.
A CSV Injection vulnerability was discovered in WordPress
Wise Chat Plugin (2.8.3). It allows an user with low level privileges (or
unauthenticated) to inject a command in chat messages that will be included in
the exported CSV file (via message backup), leading to possible code execution.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.WiseChat.Plugin.CSV.Injection
Released May 08, 2020
Upgrade to the latest version - 2.8.4
Timeline
Fortinet reported the vulnerability to Wise Chat Team on May 04 2020
Wise Chat Team confirmed the vulnerability on June 17, 2020
Wise Chat Team patched the vulnerability on July 02, 2020