Cross-Site Request Forgery Vulnerability in Metform Elementor Contact Form Builder Plugin for WordPress
CVE-2023-6788

5.4MEDIUM

Key Information:

Vendor

WordPress
Status
Metform Elementor Contact Form Builder
Vendor
CVE Published:
9 January 2024

What is CVE-2023-6788?

The Metform Elementor Contact Form Builder plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability affecting all versions up to and including 3.8.1. This flaw arises from inadequate nonce validation in the contents function, allowing unauthenticated attackers to manipulate critical application options. By tricking a site administrator into making a malicious request, an attacker can connect a rogue Hubspot account to the compromised site, enabling them to capture sensitive leads and contacts.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Metform Elementor Contact Form Builder * <= 3.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/metform/trunk/...
https://plugins.trac.wordpress.org/changeset/3011284/metf...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lucio Sá
JSON
.