CVE-2023-5424
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection
CVSS Score
4.7
EPSS Score
0.0%
EPSS Percentile
0th
The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
| CWE | CWE-1236 |
| Vendor | westguard |
| Product | ws form lite – drag & drop contact form builder |
| Published | Jun 7, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for westguard ws form lite – drag & drop contact form builder
Be the first to know when new medium vulnerabilities affecting westguard ws form lite – drag & drop contact form builder are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
westguard / WS Form LITE – Drag & Drop Contact Form Builder
0 ≤ 1.9.217
WS Form / WS Form Pro
0 ≤ 1.9.217
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve wsform.com: https://wsform.com/changelog/?utm_source=wp_plugins&utm_medium=readme plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098265%40ws-form&new=3098265%40ws-form&sfp_email=&sfph_mail=
Credits
Duc Manh