Impact
Statify – Extended Evaluation 2.6.3 and earlier are vulnerable to a CSV injection vulnerability. Posts whose title starts with something like @SUM(1+1)*cmd|' /C calc'!A0 having tracked views will be included in the CSV export. If the exported CSV is opened in a vulnerable application, the payload will execute.
Patches
All users are encouraged to update to version 2.6.4 immediately.
Workarounds
There is no reason not to upgrade to the 2.6.4 version.
Users who do not want to upgrade to 2.6.4 should avoid to use the CSV export provided by the plugin or choose a software not vulnerable to this type of CSV injection to open the CSV file.
Note that an exploit requires a published post with vulnerable code in the post title.
References
A similar security fix has been published for Posts and Users Stats.
Impact
Statify – Extended Evaluation 2.6.3 and earlier are vulnerable to a CSV injection vulnerability. Posts whose title starts with something like
@SUM(1+1)*cmd|' /C calc'!A0having tracked views will be included in the CSV export. If the exported CSV is opened in a vulnerable application, the payload will execute.Patches
All users are encouraged to update to version 2.6.4 immediately.
Workarounds
There is no reason not to upgrade to the 2.6.4 version.
Users who do not want to upgrade to 2.6.4 should avoid to use the CSV export provided by the plugin or choose a software not vulnerable to this type of CSV injection to open the CSV file.
Note that an exploit requires a published post with vulnerable code in the post title.
References
A similar security fix has been published for Posts and Users Stats.