The U.S. government’s National Vulnerability Database (NVD) has released an advisory about a vulnerability in the Metform Elementor Contact Form Builder WordPress plugin, which could lead to the leak of sensitive information.
Metform Elementor Contact Form Builder for WordPress
The Metform Elementor Contact Form Builder is a third-party add-on to the popular Elementor page builder plugin, boasting over 200,000 installations. It features a user-friendly drag-and-drop interface that simplifies the creation of contact forms, including multi-step forms.
The plugin enables beginners with no coding skills to create various forms such as surveys, contact forms, referral feedback forms, and it even allows users to save their progress if they lose and regain Internet connection.
According to the official WordPress plugin repository:
"MetForm, the drag-and-drop WordPress contact form builder is an addon for Elementor, build any fast and secure contact form on the fly with its drag-and-drop flexibility."
"It can manage multiple contact forms, and you can customize the multi step form with an Elementor builder."
Information Disclosure Vulnerability
This vulnerability permits an attacker to obtain sensitive information. Rated as a medium-level threat by the NVD, it necessitates the attacker to have a subscriber-level or higher user role, which makes it relatively easy to exploit.
A subscriber-level user role is described as a site user who can only edit their profile, read posts, and leave comments. WordPress uses the concept of ‘roles’ to manage what tasks users can do within the site. A subscriber is the lowest level of user role with the fewest permissions.
Thus, an attacker can initiate hacking the site with the lowest level user role.
The NVD describes the threat:
"The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the ‘mf_first_name’ shortcode in versions up to, and including, 3.3.1."
"This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter’s first name."
Update Plugin To Mitigate Attack Threat
The vulnerability affects Metform Elementor Contact Form Builder plugin versions up to and including 3.3.1. The most current version of the plugin is 3.4.0. The issue was fixed in Metform Elementor Contact Form Builder Version 3.3.2.
According to the official Metform Elementor Contact Form Builder Changelog:
"Version 3.3.2
…Improved: Security, nonce, and authorization checking."
CVE-2023-0689 Detail
Featured image by Shutterstock/pedrorsfernandes
