Impact

Posts and Users Stats 1.1.3 and earlier are vulnerable to a CSV injection vulnerability. Users could change their user display name, a category name, or a tag name to start with something like @SUM(1+1)*cmd|' /C calc'!A0. This formula will be included in the CSV export provided by the plugin. If the exported CSV is opened in a vulnerable application, the payload will execute.

The possible impact on a specific WordPress installation highly depends on your WordPress usage scenario:

• In any WordPress allowing users to register and to edit their profile, users could include a formula in their display name making the report Tools > Posts Statistics > Posts per Author and Post Type.
• A personal WordPress blog with just one admin, the admin would need to compromise their own installation - so an exploit is very unlikely here.

Patches

All users are encouraged to update to version 1.1.4 immediately.

Workarounds

There is no reason not to upgrade to the 1.1.4 version.
Users who do not want to upgrade to 1.1.4 should avoid to use the CSV export provided by the plugin or choose a software not vulnerable to this type of CSV injection to open the CSV file.

References

This security has been reported by Mika at patchstack.com.