CVE-2022-3604: 
WordPress vulnerability analysis and mitigation

The Contact Form Entries WordPress plugin before version 1.3.0 contains a CSV injection vulnerability, identified as CVE-2022-3604. The vulnerability was discovered by Francesco Carlucci and publicly disclosed on October 21, 2022. This security issue affects WordPress installations using the Contact Form Entries plugin that processes form submissions from various form plugins including Contact Form 7, Ninja Forms, Elementor Forms, and WP Forms (WPScan).

The vulnerability stems from inadequate data validation when exporting form entries to CSV files. The plugin fails to properly sanitize input data before writing it to CSV format, which can lead to CSV injection attacks. The vulnerability has been assigned a CVSS score of 4.7 (medium severity) and is classified under OWASP Top 10 category A1: Injection and CWE-1236 (WPScan).

When exploited, this vulnerability allows attackers to inject formulas into CSV files that can be executed when opened in spreadsheet applications like Excel or LibreOffice. This could potentially lead to data manipulation or malicious code execution when the exported CSV file is opened (WPScan).

The vulnerability has been patched in version 1.3.0 of the Contact Form Entries plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).