Medium severity4.7NVD Advisory· Published Jun 7, 2024· Updated Apr 8, 2026

CVE-2023-5424

Description

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Affected products

Westguardsolutions/Ws Form2 versions
cpe:2.3:a:westguardsolutions:ws_form:*:*:*:*:lite:wordpress:*:*+ 1 more
- cpe:2.3:a:westguardsolutions:ws_form:*:*:*:*:lite:wordpress:*:*range: <1.9.218
- cpe:2.3:a:westguardsolutions:ws_form:*:*:*:*:pro:wordpress:*:*range: <1.9.218

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvdPatch
www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3nvdThird Party Advisory
wsform.com/changelog/nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.306
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000