CVE-2018-9035

CRITICAL

Contact Form 7 to Database Ext <2.10.32 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9035. PoCs published by Stefan Broeder.

AI-analyzed exploit summary This is a writeup describing a CSV injection vulnerability in the Contact Form 7 to Database Extension WordPress plugin. The vulnerability allows arbitrary Excel formulas to be injected into exported CSV files, potentially leading to remote code execution or data leakage.

Description

CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.

Exploits (1)

exploitdb WRITEUP

by Stefan Broeder · textwebappsphp

https://www.exploit-db.com/exploits/44367

View Code ZIP pw:eip

This is a writeup describing a CSV injection vulnerability in the Contact Form 7 to Database Extension WordPress plugin. The vulnerability allows arbitrary Excel formulas to be injected into exported CSV files, potentially leading to remote code execution or data leakage.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Contact Form 7 to Database Extension WordPress Plugin 2.10.32

No auth needed

Prerequisites: Access to a contact form field in the vulnerable plugin

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44367/

Scores

CVSS v3 9.6

EPSS 0.0774

EPSS Percentile 93.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

contact-form-7-to-database-extension_project/contact-form-7-to-database-extension < 2.10.32

Published Apr 04, 2018

Tracked Since Feb 18, 2026