WordPress TablePress 1.14 CSV Injection

CVE Category Price Severity
N/A CWE-89 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-09-08
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

WordPress TablePress 1.14 CSV Injection
# Exploit Title: WordPress Plugin TablePress 1.14 - CSV Injection 
# Date: 07/09/2021
# Exploit Author: Nikhil Kapoor
# Vendor Homepage:
# Software Link:
# Version: 1.14
# Category: Web Application
# Tested on Windows

How to Reproduce this Vulnerability:

1. Install WordPress 5.8.0
2. Install and activate TablePress
3. Navigate to TablePress >> Add New >> Enter Table Name and Description (If You want this is Optional) >> Select Number of Rows and Columns
4. Click on Add Table
5. Now in Table Content Input Field Enter CSV Injection Payload
6. Click on Save Changes
6. Now go to All Table in TablePress select our entered table >> Click on Export >> Select CSV as an Export Format.
7. Click on Download Export File
8. Open the exported CSV file you will see that CSV Injection got Successfully Executed.

Payload Used :- @SUM(1+9)*cmd|' /C calc'!A0

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum