Heads-up about spreadsheet vulnerabilities

Vulnerabilities affecting spreadsheet applications like Microsoft Excel and OpenOffice Calc have been known to exist for over 5 years, and unfortunately they seem to be still unresolved.

While it is not a vulnerability of WordPress, or its plugins, because there must be so many users of our products who are at risk of these vulnerabilities, and the damage from it could be huge, I think I should write an article here to alert you of the issue.

To exploit these vulnerabilities attackers send you a spreadsheet file that includes maliciously crafted formulas in its cells, and lead you to open it with a spreadsheet application on your computer. If the conditions are right the spreadsheet application interprets the formulas, and in the worst scenario you’ll let attackers run arbitrary OS commands on your computer.

Not only Excel files, but also other spreadsheet file formats including CSV, are known to be used for such exploits.

Some WordPress plugins have an ability to export their data as a CSV file. To mitigate risk it would be desirable that such plugins make it impossible to produce cell data that can be interpreted as formulae.

Flamingo is one such plugins. Flamingo 2.1.1 and higher escape CSV field data that begin with =, +, -, or @. You’ll see fields like the following if this escape has been applied:

(Security Alert: Suspicious content is detected. See https://contactform7.com/heads-up-about-spreadsheet-vulnerabilities/ for details.) =cmd|’ /C calc’!A0

However, since not every field beginning with =, +, -, or @ is necessarily malicious formula, this escape might be only a misplaced kindness in some cases. If you want to disable it, or use another text to prefix, you can use the flamingo_csv_field_prefix filter hook to do that. For example, the following one-line of code does prefix a field data with empty string:

add_filter( 'flamingo_csv_field_prefix', '__return_empty_string' );

Note that this doesn’t remedy the vulnerability issue itself. The vulnerabilities exist in spreadsheet applications you use, and attackers can still use many other channels to send you malicious spreadsheet files.

To protect yourself keep in mind:

  1. Keep updating applications and use the latest safe versions only.
  2. Don’t open application files if you are not sure what data is in them.