Cross-Site Request Forgery Vulnerability in Metform Elementor Contact Form Builder Plugin
CVE-2023-2517

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Metform Elementor Contact Form Builder
Vendor: CVE Published:; 12 July 2023

What is CVE-2023-2517?

The Metform Elementor Contact Form Builder plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit Cross-Site Request Forgery due to improper nonce validation on the permalink_setup function. Attackers can manipulate a site's permalink structure by tricking an administrator into performing unintended actions. This vulnerability highlights the importance of correctly implementing nonce verification to enhance security against such attacks.

Affected Version(s)

Metform Elementor Contact Form Builder * <= 3.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/metform/trunk/...

https://plugins.trac.wordpress.org/changeset/2907471/metf...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
May 4, 2023

Credit

Marco Wotschka

Wordpress

What is CVE-2023-2517?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit