Improper Neutralization of Formula Elements in a CSV File

CVE-2025-11576

Medium

4.3/10

Summary

The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.

References

Advisory Timeline

Published Oct 24, 2025

Improper Neutralization of Formula Elements in a CSV File

CVE-2025-11576

Summary

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS