CVE-2020-11548

CRITICAL

Search Meter < 2.13.2 - Remote Code Execution via CSV Injection in Search Export

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-11548. PoCs published by Daniel Monzón.

AI-analyzed exploit summary This exploit demonstrates a CSV injection vulnerability in the Wordpress Plugin Search Meter 2.13.2. The payload is injected via the search bar and executed when the exported CSV is opened in Excel.

Description

The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.

Exploits (1)

exploitdb WORKING POC

by Daniel Monzón · textwebappsphp

https://www.exploit-db.com/exploits/48197

View Code ZIP pw:eip

This exploit demonstrates a CSV injection vulnerability in the Wordpress Plugin Search Meter 2.13.2. The payload is injected via the search bar and executed when the exported CSV is opened in Excel.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Wordpress Plugin Search Meter 2.13.2

Auth required

Prerequisites: Access to Wordpress admin panel · Excel installed on victim machine

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48197

Product, Third Party Advisory x_refsource_misc

https://wordpress.org/plugins/search-meter/#developers

Scores

CVSS v3 9.8

EPSS 0.0517

EPSS Percentile 91.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

search_meter_project/search_meter < 2.13.2

Published Apr 05, 2020

Tracked Since Feb 18, 2026