Information Disclosure Vulnerability in Metform Plugin for WordPress
CVE-2023-0694

4.3MEDIUM

Key Information:

Vendor
Wordpress
Status
Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
Vendor
CVE Published:
9 June 2023

Summary

The Metform Elementor Contact Form Builder for WordPress contains a vulnerability that exposes sensitive information through the 'mf' shortcode. Authenticated attackers with subscriber-level capabilities or higher can exploit this flaw to access confidential data from standard form fields in any submission. This raises significant concerns for user privacy and data security, making it imperative for website administrators to update and secure their installations.

Affected Version(s)

Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress * <= 3.3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/metform/trunk/...
https://plugins.trac.wordpress.org/changeset/2910040/

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ramuel Gall
.