Major Security Vulnerability – CSV injection
When is this going to be fixed?
I understand your concern and your question when this is going to be fixed. We take these reports very seriously, however, this issue is a bit of a special one.
First of all: rest assured that Admin Columns is safe to use and this issue can only occur when someone is allowed to submit unsanitized data into your WordPress install, which is something you never want to happen to begin with. It further requires that this data is exported to CSV, then imported into Excel and that someone would ignore any warnings it will give you about this. And even then, recent versions of Excel seem not to execute anything out of the box.
Even so, since Excel is so widely used we have decided to start escaping certain characters that could trigger this behaviour. For users who do not want this, we’ll offer a way to prevent the escaping.
So while we are patching this, it’s more about leaning towards the safe side than fixing something. The CSV export in Admin Columns is quite customizable and used in far more tools than Excel and Google Sheets. In other tools, the upcoming patch might do more harm than good. As such, there was also a strong case to make for keeping the data as is. But as said, for those cases we will create an easy workaround. It’s just no longer the default now.
I hope this gives you a good explanation. The patch will arrive within a few days.
Cheers!
Hi David
Thank you for the detailed explanation. Are you able to give a bit of history on this issue. It was first reported back in October 29, 2019, but “popped” again June 10, 2024. As you say, this is a bit of a special one?
All the best
Well, I’m not sure if we got the 2019 memo. That has been a while. As said, we never considered opinionating our CSV export in favor of just Excel. So, while we understand why it is seen as a security issue, CSV was not made just for Excel, and as such our export did not ‘change’ data. But we think it will be a minor inconvenience for users who do not need or want this escape.
I think this issue just surfaced again because it was refreshed with a new version of the issue testing framework, but I’m not entirely sure.
Yeah, I was in the process of writing Wordfence, thinking it was a re-triggering mistake on their part. Whatever the case may be, thank you for pushing the update.
Take care
We have included a patch for this in our maintenance release 6.4.10, which is available as of now from your account page or directly from you plugins page within the WordPress admin.
Awesome thanks. Yeah it just popped up in a Wordfence scan yesterday. Had a client freak out about it and ask me.
Also keep getting this warning repeating from Wordfence on all sites where ACP is also installed… Happy to hear it is being dealt with… You may want to engage Wordfence and let them know to not keep notifying or modify the level of concern or change some wording, as they still are warning even past your 6.4.10 release…
Just as a follow-up to John, I’m seeing the same thing unfold (I’ve contacted Wordfence in relation to my experience, and referenced ACP’s changelog and this thread).
Update. I’m guessing ACP took direct contact to Wordfence. But, for the record, they just got back to me with the following: “Our vulnerability record has been updated to reflect that this is now patched”.
Take care
@Anders, thanks for letting us know. We indeed have contact with WordFrence and stated the the issue is patched.
You must be logged in to reply to this topic.