WordFence Alerts Critical for Vulenrability

No I don’t think it’s ignoring until something changes. @wfsupport, can you confirm this and do you maybe have tips to speed up this matter?

I consider this a non-issue.

If an administrative account has been compromised, you have a bigger problem then someone injecting dangerous code into a table, hope the CSV gets exported by and admin, and hope someone (a site admin) then loads that file into Excel and hope they allow the code to be run.

I was concerned when I first received the notification but when I read the reason, I knew it shouldn’t be a concern. And now thanks to Tobias and his explanations, its exactly as I suspected.

Thank you Tobias for your quick handling of the situation.
To fix the “non-problem” would mean to break much of the functionality of Tablepress.

I personally have not used formulas in my tables, but I may at some point. I am the only site admin for my site so the only way dangerous code would get in there is if my site is hacked. Since I have never exported the tables, I will never run the dangerous code.

If my site is hacked, I would become aware of that issue from other means, not from exporting a bad CSV file.
Mark

Thanks for your answer @tobiasbg

Thank you,
Just wanted to help TBH.

Hi @jrpmedia,

thanks! I really appreciate that!

Best wishes,
Tobias

Tobias,

Thank you for your great explanation and for staying on top of these things. I love the Table Press plugin and appreciate all that you are doing to keep in safe and secure.

Krystalya

You are the best!!!!!!!!!!

We have been in contact with the plugin author that the vulnerability we have found is valid and correct so we will continue to mark it as such in scans until they patch the vulnerabiltiy.

Kind regards,

Phil
Customer Support Engineer

Wordfence – Security for WordPress Websites

Thanks for reaching out! We are not incorrectly flagging the vulnerability, the CVE is explicitly assigned to TablePress, CVE-2019–20180, and does not apply to all text editors/spreadsheet software in general. Here is the original public disclosure link from back in 2019: https://medium.com/@Pablo0xSantiago/cve-2019-20180-tablepress-version-1-9-2-csv-injection-65309fcc8be8.
?
I have tried to work with Tobias from TablePress to explain the inherent risks of leaving such a vulnerability in his plugin, however, he disagrees on responsibility pointing the blame of CSV software rather than providing a patch in his plugin. At this point we have not been able to come to terms with the developer. Since this vulnerability has a CVE, and we deem it as a security risk based on industry standards, we will not be removing the vulnerability from our vulnerability database which returns scan results. The plugin will show-up as unpatched until the developer has patched the vulnerability.

Just to share more details, TablePress has a CSV Injection vulnerability, which is a vulnerability that occurs when a software allows formulas to be injected into CSV files created by the software. Please see CWE https://cwe.mitre.org/data/definitions/1236.html When exporting tables from TablePress there is no neutralization of any formulas that have been added to a table which is what creates the CSV Injection vulnerability. This means a user with access to TablePress, such as an Editor, can inject CSV formulas into a table and if another victim, such as a site’s administrator, exports the table and opens it in a CSV software such as Excel or Google Sheets then that formula will run. These formulas can be used to achieve code execution on the victim machine or exfiltrate information from the CSV software.

Please be aware that it is a very minimal security risk as there are many steps to exploitation and it is unlikely to be seen exploited in the wild. However, that doesn’t eliminate the fact that it is a security risk and the developer can do something about it.

Thanks and have a great day!

Chloe Chamberland
Wordfence Threat Intelligence Lead____________________
M.S. Cybersecurity and Information Assurance
OSCP | OSWP | OSWE | eWPT | C|EH | E|CSA | CHFI | Security+ | CySA+ | PenTest+ | CASP+ | SSCP | CISSP | AWS CCP | AWS SAA | AWS Security Specialty
Defiant Inc[defiant.com]. The people behind…
Wordfence – Security for WordPress Websites

@droogs I’ve gotten similar responses from Wordfence.

What I don’t get is how they don’t see this as a ‘vulnerability’ in all plug-ins that can export csv/txt files.

I will say while I disagree with the classification assigned to only this plugin, I get why they are doing what they are doing. That’s what I pay for, to tell me about ‘problems’ so I can review and accept the risk on my own. I’ve also appreciated their timely responses to me, an end user.

I am very disappointed with Wordfence because despite them also telling me that this is a very minor issue needing multiple event and highly unlikely to affect me, they still flag this issue as a critical issue in their scan. Their scan still recommends that I totally uninstall Tablepress until a patch is released.

This is demonstrably alarmist, and poor advice considering that they have conceded to several different people that it is not a critical issue. So course this damages Wordfence’s reputation for me. How do I know that they are not issuing alarmist warnings about other issues?

I put it to them that I would expect them to be using their own discretion, and their own judgement about this type of issue. Even the original database report that they are using only describes the issue as medium. However I didn’t receive a reply.

Of course I do not object to them flagging the issue. On the contrary I expect them to. I just object to them flagging it as critical and advising me to uninstall the plug-in when they could easily have flagged it as minor and explain the exploit themselves.

• This reply was modified 2 years, 1 month ago by XyZed.

Thanks, Tobias!

I will ignore the error.

Ted

Hi,

thanks to everybody following this!

A quick update:
I was able to convince Wordfence that this is not a security problem in TablePress. They recommend that I contest the CVE database entry, which I have already done. Unfortunately, I have not heard back from MITRE, the organization that manages that database.
Once that entry has been removed, Wordfence will also remove the notification from their plugin.

If anybody here knows more on how to quickly get a reply from MITRE, please get in touch with me by email (the address is on https://tablepress.org/impressum ) Thanks!

Best wishes,
Tobias

Hi everyone,

thanks for all your patience and support regarding this issue in the last few weeks!

I still regard this report as invalid, and many users and other developers agree that TablePress is doing nothing wrong here.
I’m still working to get MITRE, the organization that maintains the global vulnerability database, to mark the underlying report CVE-2019-20180 as invalid. Unfortunately, my several attempts to contact them have not shown success yet, as they have not replied to me at all yet :-/

Without that CVE entry removed, Wordfence stands by their company policy to keep their plugin’s notification about this in place. They agree that the issue is very low risk, has strong requirements (like an already compromised WordPress site), and that TablePress, the WordPress site, and the server are not vulnerable here. It’s also their company policy to mark this as “critical”, which is not a judgement based on the severity of the issue, but simply just coming from the fact that a public report is out there…

I have therefore worked diligently to find an enhancement in TablePress that will allow the Wordfence team to mark the issue as “fixed” or “resolved” in their internal database, so that they can turn off that notification in their plugin.
This enhancement will essentially escape (meaning: convert to text) certain formulas that can potentially dangerous when opened with the wrong program on a local computer, if these formulas are present when a user exports a table to the CSV format. As these formulas have no meaning in TablePress itself, i.e. TablePress can not and does not evaluate them, they are likely not present in legitimate TablePress tables anyways. The extra protection for users that are not careful (meaning: have turned on a dangerous feature in Excel, against Microsoft’s recommendation, and ignore two clear security warnings when opening an affected CSV file) will therefore also not impact performance during the export.

The changes will be coming in TablePress 2.0 very soon, and they are already part of the current development version TablePress 2.0-RC2, if someone already wants to use that. That version is available via https://tablepress.org/8-million-downloads-tablepress-2-0/

With this, Wordfence should soon stop sending that vulnerability notification. I will continue to work to get MITRE to remove the invalid underlying report, to prevent this issue from reappearing in other fashions anywhere else.

Thanks again for all your feedback and encouragement about this in the past couple weeks!

Best wishes,
Tobias

How frustrating that must be. Dealing with big companies is often a pain… Thanks for all your time & work you put into this, and TablePress in general.