Really Simple Security logo

Log out
Get PRO

Latest

Input validation vulnerability in Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress 3.3.0

  • Severity: medium-risk
  • Status: Fixed
  • Publication: June 8, 2023

The Metform Elementor Contact Form Builder for WordPress is a plugin that is vulnerable to a type of attack called Cross-Site Scripting. In versions up to and including 3.3.0, this vulnerability can be exploited by using the ‘mf’ shortcode to echo unescaped form submissions. This means that anyone with contributor-level permissions or above can inject malicious web scripts into pages. When the victim visits the specific page containing the malicious code, the script will execute. Though the script is stored in the site database, the victim must still visit a crafted link with the form entry id in order for the script to be executed.

Detected in:

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor fixed vulnerable versions:
Metform Elementor Contact Form Builder fixed vulnerable versions:

This information is sourced from www.wpvulnerability.com. An open-source database of vulnerabilities maintained by the community. Help us out by submitting vulnerabilities!

Version compare shows which versions have a vulnerability. For example: >= 2.2.8 <= 2.2.21 means:

> from 2.2.8
= including 2.2.8 & 2.2.21
< to 2.2.21

  • Incorrect?

Is this information incorrect? Please leave us a message.