Cross-Site Request Forgery Vulnerability in Metform Elementor Contact Form Builder Plugin for WordPress
CVE-2023-6788

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Metform Elementor Contact Form Builder
Vendor: CVE Published:; 9 January 2024

Summary

The Metform Elementor Contact Form Builder plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability affecting all versions up to and including 3.8.1. This flaw arises from inadequate nonce validation in the contents function, allowing unauthenticated attackers to manipulate critical application options. By tricking a site administrator into making a malicious request, an attacker can connect a rogue Hubspot account to the compromised site, enabling them to capture sensitive leads and contacts.

Affected Version(s)

Metform Elementor Contact Form Builder * <= 3.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/metform/trunk/...

https://plugins.trac.wordpress.org/changeset/3011284/metf...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2024
Vulnerability Reserved
Dec 13, 2023

Credit

Lucio Sá