Sign-up Sheets < 1.0.14 - Authenticated CSV Injection

An authenticated attacker with the ability to create or edit sign-up sheets can inject a malicious payload into the Sheet title field. When an administrator or other user exports the sheet data as a CSV file, the unsanitized title is written directly into the CSV output [ref_id=1]. If the CSV is opened in a spreadsheet application such as Microsoft Excel, formulas starting with characters like `=`, `+`, `-`, or `@` are executed, potentially leading to arbitrary command execution on the victim's machine [CWE-1236].

The advisory does not specify exact file paths or function names. The vulnerability exists in the CSV export functionality of the Sign-up Sheets plugin, where the Sheet title is used without sanitization when generating the CSV output [ref_id=1].

The advisory states the vulnerability is fixed in version 1.0.14 of the Sign-up Sheets plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve sanitizing or escaping the Sheet title before including it in the generated CSV file, preventing formula injection characters from being interpreted by spreadsheet software.