One of the changelog entries for the latest version of Newsletter is “Security fix on CSV export”, based on other recently disclosed vulnerabilities it seemed likely this would refer to fixing a CSV injection vulnerability and quick testing confirmed that. The issue was fixed with escaping being added.
…
The plugin Contact Form Submissions was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 60,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a CSV injection vulnerability and an authenticated SQL injection vulnerability, which can also exploited through cross-site request forgery (CSRF).
The CSV injection vulnerability involves a lack of escaping when using the plugin “Export to CSV” feature, as can be confirmed with the proof of concept below. [Read more]
The changelog for the latest version of the plugin WordPress Users & WooCommerce Customers Import Export(BASIC) (Import Export WordPress Users) is “CSV Injection was fixed – reported by one of our user (Javier Olmedo) CVE-2019-15092”. Looking at the changes made confirmed that is an accurate description.
…
From time to time a vulnerability in a plugin is disclosed without the discoverer putting out a complete report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
…