CVE-2020-9372 in Appointment Booking Calendar Plugin
Summary
by MITRE
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/10/2025
The CVE-2020-9372 vulnerability affects the Appointment Booking Calendar plugin for WordPress, specifically versions prior to 1.3.35, presenting a critical security risk that enables remote code execution through CSV injection. This vulnerability stems from inadequate input validation and sanitization within the plugin's booking form processing mechanisms, creating a pathway for malicious actors to exploit the system through seemingly benign user input fields.
The technical flaw manifests in how the plugin handles user-provided data within booking forms, particularly in fields designated for Description or Name inputs. When users enter specific malicious content into these fields, the plugin fails to properly sanitize or escape the data before exporting it to CSV format through the Bookings list administrative interface. This weakness creates a direct vector for CSV injection attacks where specially crafted input can execute arbitrary code when the exported CSV file is opened in spreadsheet applications like Microsoft Excel or Google Sheets.
The operational impact of this vulnerability extends beyond simple data manipulation, as it enables attackers to achieve full remote code execution capabilities. When a victim opens the maliciously crafted CSV file in a spreadsheet application, the embedded formulas can trigger automated execution of malicious code, potentially allowing attackers to gain unauthorized access to the system, execute arbitrary commands, or deploy additional malware. This type of vulnerability aligns with CWE-1236, which describes the weakness of insufficient input validation in web applications, and represents a significant risk to WordPress installations using the affected plugin.
The attack vector leverages the trust relationship between the spreadsheet application and CSV files, where applications automatically interpret certain characters and formulas as executable commands. This exploitation technique follows patterns consistent with ATT&CK technique T1059.001, which covers command and scripting interpreter execution, and T1068, which involves local privilege escalation through malicious file execution. The vulnerability's severity is amplified by the fact that it requires no special privileges to exploit, as it operates through the legitimate administrative export functionality that administrators frequently use to manage booking data.
Organizations should immediately update to version 1.3.35 or later of the Appointment Booking Calendar plugin to remediate this vulnerability. Additionally, administrators should implement strict input validation measures, sanitize all user-provided data before processing, and consider implementing network-level restrictions on CSV file downloads. The mitigation strategy should include monitoring for suspicious export activities and ensuring that administrators are educated about the risks associated with opening untrusted CSV files in spreadsheet applications, as this vulnerability demonstrates the critical importance of proper data sanitization and the potential for seemingly innocuous input fields to become attack vectors in web applications.