Cross-Site Request Forgery Vulnerability in Metform Elementor Contact Form Builder Plugin
CVE-2023-2517

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Metform Elementor Contact Form Builder
Vendor
CVE Published:
12 July 2023

Summary

The Metform Elementor Contact Form Builder plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit Cross-Site Request Forgery due to improper nonce validation on the permalink_setup function. Attackers can manipulate a site's permalink structure by tricking an administrator into performing unintended actions. This vulnerability highlights the importance of correctly implementing nonce verification to enhance security against such attacks.

Affected Version(s)

Metform Elementor Contact Form Builder * <= 3.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/metform/trunk/...
https://plugins.trac.wordpress.org/changeset/2907471/metf...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marco Wotschka
.