{"id":22483,"date":"2023-09-01T08:10:00","date_gmt":"2023-09-01T08:10:00","guid":{"rendered":"https:\/\/www.searchenginejournal.com\/wordpress-contact-form-plugin-vulnerability\/495353\/"},"modified":"2023-09-01T08:10:00","modified_gmt":"2023-09-01T08:10:00","slug":"wordpress-metform-elementor-contact-form-builder-plugin-vulnerability-via-sejournal-martinibuster","status":"publish","type":"post","link":"https:\/\/marketingnewsbox.com\/?p=22483","title":{"rendered":"WordPress Metform Elementor Contact Form Builder Plugin Vulnerability via @sejournal, @martinibuster"},"content":{"rendered":"
<\/div>\n

The U.S. government National Vulnerability Database (NVD) issued an advisory about a vulnerability affecting Metform Elementor Contact Form Builder WordPress plugin that could leak sensitive information.<\/p>\n

Metform Elementor Contact Form Builder for WordPress<\/h2>\n

The Metform Elementor Contact Form builder is a third party add-on to the popular Elementor page builder plugin with over over 200,000 installations.<\/p>\n

It offers a drag-and-drop interface that makes it easy to build contact forms, including multi-step forms.<\/p>\n

The Metform contact form builder WordPress plugin for Elementor allows beginners with no coding skills to create surveys forms, contact forms, referral feedback forms and also can save a form so that a user can return to the form if they lose and regain Internet connection.<\/p>\n

According to the official WordPress plugin repository:<\/strong><\/p>\n

\n

\u201cMetForm, the drag-and-drop WordPress contact form builder is an addon for Elementor, build any fast and secure contact form on the fly with its drag-and-drop flexibility.<\/p>\n

It can manage multiple contact forms, and you can customize the multi step form with an Elementor builder.\u201d<\/p>\n<\/blockquote>\n

Information Disclosure Vulnerability<\/h2>\n

The vulnerability allows an attacker to obtain sensitive information.<\/p>\n

This vulnerability is rated by the NVD as a medium level threat because it requires an attacker to obtain a subscriber-level or higher user role.<\/p>\n

A subscriber-level user role is a relatively low bar for activating the exploit, as it\u2019s easier to obtain than an admin or editor level user role.<\/p>\n

An attacker only needs to subscribe to a website in order to be able to launch an attack.<\/p>\n

Elementor\u2019s website describes the subscriber user role<\/a>:<\/p>\n

\n

\u201cA WordPress subscriber is a site user who can only edit their profile, read posts, and leave comments.<\/p>\n

WordPress uses the concept of \u2018roles\u2019 to enable a site owner to control and manage what set of tasks (capabilities) users can do or not do within the site.<\/p>\n

A subscriber is the lowest level of user role with the fewest permissions.\u201d<\/p>\n<\/blockquote>\n

Thus, an attacker can begin hacking the site with the lowest level user role.<\/p>\n

The NVD describes the threat<\/a>:<\/strong><\/p>\n

\n

\u201cThe Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the \u2018mf_first_name\u2019 shortcode in versions up to, and including, 3.3.1.<\/p>\n

This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter\u2019s first name.\u201d<\/p>\n<\/blockquote>\n

Update Plugin To Mitigate Attack Threat<\/h2>\n

This vulnerability affects Metform Elementor Contact Form Builder plugin versions up to and including 3.3.1.<\/p>\n

The most current version of the plugin is 3.4.0.<\/p>\n

Metform Elementor Contact Form Builder Version 3.3.2 is the version that fixed the vulnerability.<\/p>\n

According to the official Metform Elementor Contact Form Builder Changelog<\/a>:<\/p>\n

\n

\u201cVersion 3.3.2<\/p>\n

\u2026Improved: Security, nonce and authorization checking.\u201d<\/p>\n<\/blockquote>\n

Read the official NVD advisory:<\/strong><\/p>\n

CVE-2023-0689 Detail<\/a><\/p>\n

Featured image by Shutterstock\/pedrorsfernandes<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

The U.S. government National Vulnerability Database (NVD) issued an advisory about a vulnerability affecting Metform Elementor Contact Form Builder WordPress plugin that could leak sensitive information. Metform Elementor Contact Form Builder for WordPress The Metform Elementor Contact Form builder is a third party add-on to the popular Elementor page builder plugin with over over 200,000… <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[292,103],"tags":[],"class_list":["post-22483","post","type-post","status-publish","format-standard","hentry","category-news","category-search-engine-marketing"],"_links":{"self":[{"href":"https:\/\/marketingnewsbox.com\/index.php?rest_route=\/wp\/v2\/posts\/22483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/marketingnewsbox.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/marketingnewsbox.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/marketingnewsbox.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/marketingnewsbox.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22483"}],"version-history":[{"count":0,"href":"https:\/\/marketingnewsbox.com\/index.php?rest_route=\/wp\/v2\/posts\/22483\/revisions"}],"wp:attachment":[{"href":"https:\/\/marketingnewsbox.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/marketingnewsbox.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/marketingnewsbox.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}