Sensitive Information Exposure Vulnerability in MetForm Plugin
CVE-2024-4266

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Metform – Contact Form, Survey, Quiz, & Custom Form Builder For Elementor
Vendor: CVE Published:; 11 June 2024

Summary

The MetForm plugin for WordPress, specifically versions up to and including 3.8.8, is susceptible to a vulnerability that enables unauthenticated attackers to exploit the 'handle_file' function. This flaw allows attackers to gain access to sensitive information, including Personally Identifiable Information (PII), from files uploaded by users. Such exposure can have serious implications for data privacy and security, making it crucial for site administrators to promptly update to a secure version.

Affected Version(s)

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor * <= 3.8.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/metform/trunk/...

https://plugins.trac.wordpress.org/changeset/3099977/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 11, 2024
Vulnerability Reserved
Apr 26, 2024

Credit

Tim Coen