FluentForm < 4.3.13 - CSV Injection

An attacker who can submit form entries (e.g., a site visitor or authenticated user) can include payloads starting with characters like `=`, `+`, `-`, or `@` in form fields. When the administrator exports those entries as a CSV file via the FluentForm plugin [ref_id=1], the payload is written unescaped into the CSV. If the CSV is opened in a spreadsheet application (e.g., Microsoft Excel or LibreOffice Calc), the formula executes, potentially exfiltrating data or executing arbitrary commands [CWE-1236].

The advisory does not specify the exact file or function path. The vulnerability exists in the CSV export functionality of the FluentForm plugin (plugin slug: fluentform) in versions before 4.3.13 [ref_id=1].

The advisory states the plugin was fixed in version 4.3.13 [ref_id=1]. The fix adds validation and escaping of form entry fields before writing them into the exported CSV file, preventing spreadsheet formulas from being interpreted as code. No patch diff is included in the bundle, but the remediation guidance is to update to version 4.3.13 or later [ref_id=1].