The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-4034

CVE-2022-4034: Appointment Hour Booking RCE Vulnerability

CVE-2022-4034 is a CSV injection flaw in Appointment Hour Booking Plugin for WordPress that enables remote code execution when exported files are opened. This article covers technical details, affected versions, and mitigation.

Published: February 18, 2026

CVE-2022-4034 Overview

The Appointment Hour Booking Plugin for WordPress contains a CSV Injection vulnerability in versions up to and including 1.3.72. This security flaw enables unauthenticated attackers to embed malicious input into booking content that gets exported as CSV files. When site administrators export booking details and open the resulting CSV file on a local system with a vulnerable configuration, arbitrary code execution can occur.

Critical Impact

Unauthenticated attackers can achieve code execution on administrator systems through malicious CSV exports, potentially leading to full system compromise when booking data is exported and opened locally.

Affected Products

  • Appointment Hour Booking for WordPress versions up to and including 1.3.72
  • dwbooster appointment_hour_booking

Discovery Timeline

  • 2022-11-29 - CVE-2022-4034 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-4034

Vulnerability Analysis

This vulnerability falls under CWE-1236 (Improper Neutralization of Formula Elements in a CSV File), commonly known as CSV Injection or Formula Injection. The attack exploits the trust relationship between the WordPress plugin and spreadsheet applications that interpret certain characters as formula prefixes.

When booking data is submitted through the plugin's public-facing forms, the application fails to properly sanitize user input before storing it in the database. This becomes dangerous when administrators export booking information to CSV format, as malicious payloads embedded in booking fields are preserved in the export.

Spreadsheet applications like Microsoft Excel, LibreOffice Calc, and Google Sheets interpret cells beginning with characters such as =, +, -, @, or \t as formulas. An attacker can craft booking submissions containing payloads that execute Dynamic Data Exchange (DDE) commands or other formula-based attacks when the CSV is opened.

Root Cause

The root cause is insufficient input validation and output encoding in the booking submission and CSV export functionality. The plugin accepts and stores user-supplied data without sanitizing dangerous formula prefix characters, and subsequently exports this data to CSV format without proper escaping or prefixing of potentially dangerous content.

Attack Vector

The attack is initiated remotely through the booking form but requires local user interaction to achieve code execution. An attacker submits a malicious booking through the public WordPress site containing formula injection payloads in text fields such as name, email, or notes. When an administrator exports bookings to CSV and opens the file in a spreadsheet application, the malicious formulas execute.

A typical attack payload might include DDE commands that launch system processes or download and execute remote payloads. The attack succeeds when the target spreadsheet application is configured to allow external data connections or command execution, which is common in default configurations.

Detection Methods for CVE-2022-4034

Indicators of Compromise

  • Booking entries containing formula prefix characters (=, +, -, @) at the start of text fields
  • Unusual booking submissions with DDE command syntax such as =cmd|' /C calc'!A0 or similar patterns
  • Multiple bookings from the same source containing suspicious payloads
  • Exported CSV files triggering security warnings in spreadsheet applications

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect formula injection patterns in form submissions
  • Monitor booking database entries for suspicious strings beginning with formula operators
  • Enable logging for all booking form submissions and review for anomalous content
  • Deploy endpoint detection on administrator workstations to identify suspicious process execution from spreadsheet applications

Monitoring Recommendations

  • Configure alerting for booking submissions containing potential formula injection characters in the first position of text fields
  • Monitor for unusual patterns of booking submissions that may indicate automated injection attempts
  • Review exported CSV files through secure viewers before opening in full spreadsheet applications
  • Track process creation events originating from spreadsheet application processes

How to Mitigate CVE-2022-4034

Immediate Actions Required

  • Update the Appointment Hour Booking plugin to the latest version immediately
  • Review existing booking data for potentially malicious entries before exporting
  • Configure spreadsheet applications to disable automatic formula execution and DDE
  • Consider temporarily disabling CSV export functionality until the plugin is updated

Patch Information

The vendor has released a patch addressing this vulnerability. The fix can be reviewed in the WordPress Plugin Changeset. Additional details are available in the Wordfence Vulnerability Advisory.

Site administrators should update to a version newer than 1.3.72 through the WordPress admin panel or by downloading the latest version from the WordPress plugin repository.

Workarounds

  • Prefix all user-supplied data with a single quote (') before CSV export to prevent formula interpretation
  • Open exported CSV files in text editors rather than spreadsheet applications when reviewing data
  • Configure Microsoft Excel to disable DDE by navigating to File > Options > Trust Center > Trust Center Settings > External Content
  • Implement server-side input validation to reject or sanitize formula prefix characters in booking submissions
  • Use alternative export formats such as JSON or plain text when formula injection is a concern
bash
# Configuration example - Excel Trust Center DDE Disable Registry Settings
# Apply these registry settings to disable DDE in Microsoft Excel
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security" /v WorkbookLinkWarnings /t REG_DWORD /d 2 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security" /v DisableDDEServerLaunch /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security" /v DisableDDEServerLookup /t REG_DWORD /d 1 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechDwbooster Appointment Hour Booking
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability2.48%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-1236
  • Technical References
  • Wordfence Vulnerability Advisory
  • Vendor Resources
  • WordPress Plugin Changeset
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English