The U.S. government National Vulnerability Database (NVD) has issued an advisory regarding a vulnerability in the Metform Elementor Contact Form Builder WordPress plugin that could potentially lead to the disclosure of sensitive information. The Metform Elementor Contact Form Builder is a popular third-party add-on to the Elementor page builder plugin, boasting over 200,000 installations.

The plugin offers a user-friendly drag-and-drop interface that simplifies the process of creating contact forms, including multi-step forms. It allows users without coding skills to easily build surveys, contact forms, and feedback forms. Furthermore, it allows users to save their progress and return to a form even if they lose internet connection.

The vulnerability identified in the Metform Elementor Contact Form Builder plugin enables an attacker to access sensitive information. The NVD rates this vulnerability as a medium-level threat, as it only requires the attacker to have a subscriber-level or higher user role. The subscriber-level user role, which grants the lowest level of permissions, is relatively easy to obtain.

The NVD describes the specific threat as follows: “The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the ‘mf_first_name’ shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above, to obtain sensitive information about arbitrary form submissions, including the submitter’s first name.”

To mitigate this vulnerability, it is crucial to update the Metform Elementor Contact Form Builder plugin to version 3.3.2 or above, as the vulnerability was fixed in version 3.3.2. The latest version of the plugin is currently 3.4.0.

Ensuring that plugins and software are up to date is essential for maintaining the security of WordPress websites. It is recommended to regularly check for updates and install them promptly to protect against potential vulnerabilities.

Source:

– National Vulnerability Database (NVD) Advisory – CVE-2023-0689