CVE-2022-3463: 
WordPress vulnerability analysis and mitigation

The Contact Form Plugin (FluentForm) WordPress plugin before version 4.3.13 was found to contain a CSV injection vulnerability, identified as CVE-2022-3463. The vulnerability was discovered by Francesco Carlucci and publicly disclosed on October 17, 2022. This security issue affects the form entry export functionality of the plugin (WPScan).

The vulnerability stems from the plugin's failure to properly validate and escape fields when exporting form entries as CSV format. It has been classified as a CSV Injection vulnerability (CWE-1236) and falls under the OWASP Top 10 category A1: Injection. The vulnerability received a CVSS score of 3.4 (Low severity) (WPScan).

When exploited, this vulnerability allows for the execution of CSV formulas in spreadsheet applications like Excel or LibreOffice when the exported data is opened. This could potentially lead to formula injection attacks when administrators view the exported form entries (WPScan).

The vulnerability has been fixed in version 4.3.13 of the FluentForm plugin. Site administrators are advised to update to this version or later to mitigate the risk (WPScan).