Really Simple Security logo

Log out
Get PRO

Latest

Input validation vulnerability in Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress 3.3.0

  • Severity: medium-risk
  • Status: Fixed
  • Publication: June 8, 2023

The Metform Elementor Contact Form Builder for WordPress had a security flaw in versions up to and including 3.3.0. Attackers with contributor-level permissions or higher could use the ‘fname’ attribute of the ‘mf_thankyou’ shortcode to inject malicious web scripts into pages. This means a crafted link with the form entry id had to be visited by the victim for the script to execute. This was possible because the script was stored in the site database, although the complexity was increased as successful payment was required.

Detected in:

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor fixed vulnerable versions:
Metform Elementor Contact Form Builder fixed vulnerable versions:

This information is sourced from www.wpvulnerability.com. An open-source database of vulnerabilities maintained by the community. Help us out by submitting vulnerabilities!

Version compare shows which versions have a vulnerability. For example: >= 2.2.8 <= 2.2.21 means:

> from 2.2.8
= including 2.2.8 & 2.2.21
< to 2.2.21

  • Incorrect?

Is this information incorrect? Please leave us a message.