As part of our regular research efforts, we’ve discovered an СSV injection vulnerability (CVE-2019-11872) affecting 80,000+ users of the Hustle WordPress plugin.

Current State of the Vulnerability

The WPMU DEV’s Hustle plugin is responsible for creating pop-ups, slide-ins and email opt-ins. The vulnerability can be exploited without the need to login, making it a pre-authentication vulnerability. This vulnerability could lead to the leak of sensitive data — and, in certain configurations, compromise an entire WordPress installation.
The developer was notified about existing vulnerability. The vulnerability has been fixed in the 6.0.8.1 release.
We haven’t noticed any exploitation attempts in-the-wild, utilizing this specific vulnerability.

Disclosure / Response Timeline

  • May 7, 2019 – Initial contact attempt
  • May 10, 2019 – Patch was released by plugin developer
  • May 10, 2019 – CVE-2019-11872 reserved

Technical Details

The WPMU DEV plugin Hustle is vulnerable to CSV Injection as it allows an injection of malicious code into a pop-up window. Successful exploitation grants an attacker to execute malicious code on the administrator’s computer utilizing Microsoft Excel built-in functions as the plugin does not sanitize the user’s input and allows to insert any text, including malicious macro.

Vulnerability Flow

  1. The attacker goes to the website, where the Hustle plugin is installed.
  2. The attacker finds a pop-up window with some input field like an email, first name, last name, etc.
  3. The attacker inserts malicious code instead of First name/Last name into the pop-up window.
  4. The Hustle plugin saves it into an internal database.
  5. The administrator exports all the information about users from this plugin to a CSV file.
  6. The administrator opens the obtained CSV file in Microsoft Excel and the malicious code gets executed.

Recommendations

CSV Injections are quite easy to perform and you have to be ready to prevent those kind of attacks. Always install the latest versions of CMS, plugins, themes and keep them up to date.

Penetration & Vulnerability testing could help you to analyze your system and find out if some of your software needs an update or сontains any vulnerabilities that could lead to a data leak and compromise your systems and its users.

If you are still using the old version of Hustle plugin, update it as soon as possible to mitigate the risk to your website. We encourage plugin users to update to the latest 6.0.8.1 release as soon as possible.

Credits

Mark Parfeniuk, Penetration & Vulnerability Tester from REDdy Solutions