CVE-2018-11525

Vulnerability

The plugin "Advanced Order Export For WooCommerce" for WordPress, versions 1.5.4 and earlier, is vulnerable to CSV Injection [1]. The plugin exports order data in CSV format without properly sanitizing fields that contain values starting with special characters such as =, +, -, or @. When the exported CSV file is opened by a spreadsheet application like Microsoft Excel or LibreOffice Calc, these fields are interpreted as formulas and executed [1].

Exploitation

An attacker can exploit this vulnerability by creating a WooCommerce order that includes a specially crafted value in one of the exportable fields (e.g., billing address, order note, or custom field). The value must start with a formula injection character (=, +, -, or @) followed by a malicious formula, such as =CMD|'/C calc'!A0 [2]. No special privileges are required; any user who can place an order on the WooCommerce site can inject the payload. When the site administrator or any user with order export privileges exports orders to CSV and opens the file in a spreadsheet application, the malicious formula executes [1].

Impact

Upon opening the crafted CSV file in a vulnerable spreadsheet application, the injected formula can execute arbitrary commands, read or write files, or exfiltrate data from the user's machine. This can lead to complete compromise of the user's system, depending on the spreadsheet application and its security settings [2]. The attacker gains the ability to execute commands at the privilege level of the user who opens the file, which may be administrative on their local system.

Mitigation

A fix was released in version 1.5.5 of the plugin [1]. Users should update to the latest version immediately. As a workaround, users should enable the "Enable Dynamic Data Exchange" and "Enable Protected View" settings in Microsoft Excel, or use a text editor to inspect CSV files before opening them in a spreadsheet application [2].