Stored Cross-Site Scripting Vulnerability in Metform Elementor Contact Form Builder Plugin for WordPress
CVE-2023-0084

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Metform Elementor Contact Form Builder – Flexible And Design-friendly Contact Form Builder Plugin For WordPress
Vendor: CVE Published:; 2 March 2023

Summary

The Metform Elementor Contact Form Builder plugin for WordPress is prone to a Stored Cross-Site Scripting vulnerability due to inadequate sanitization and escaping of user input. This security flaw affects versions up to 3.1.2 and allows attackers, without authentication, to inject arbitrary scripts into form text areas. These scripts execute in the browsers of users visiting the compromised submissions page, potentially leading to data theft and session hijacking.

Affected Version(s)

Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress * <= 3.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/metform/#description

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 2, 2023
Vulnerability Reserved
Jan 5, 2023

Credit

Mohammed El Amin, Chemouri