Cross-Site Scripting Vulnerability in Metform Contact Form Builder by WordPress
CVE-2023-0708

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
Vendor: CVE Published:; 9 June 2023

Summary

The Metform Elementor Contact Form Builder for WordPress contains a vulnerability that allows authenticated attackers with contributor-level permissions or higher to inject arbitrary scripts. This is accomplished through the use of the 'mf_first_name' shortcode, which improperly handles unescaped form submissions in pages. When a victim visits a page that includes the shortcode and submission ID in the query string, the injected script executes. Although user interaction is required to trigger the script, it poses significant risks as the malicious JavaScript is stored in the site database.

Affected Version(s)

Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress * <= 3.3.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/metform/trunk/...

https://plugins.trac.wordpress.org/changeset/2907471/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 9, 2023
Vulnerability Reserved
Feb 7, 2023

Credit

Ramuel Gall