High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder
On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations.
The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant of cross-site scripting as it provides the easiest path to site takeover, and has been assigned an identifier of CVE-2023-0084.
Mohammed reached out to the plugin developer independently the same day and a patched version was made available a few days later, on January 8, 2023.
All Wordfence users, including Wordfence free as well as Wordfence Premium, Wordfence Care, and Wordfence Response, are protected against this vulnerability by the Wordfence Firewall’s built-in Cross-Site Scripting protection. However, the Wordfence Threat Intelligence team became aware of a possible bypass and released a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response users on February 3, 2023.
This additional protection will become available to Wordfence free users after 30 days, on March 5, 2023, but Wordfence free users can simply update the Metform plugin to the latest version which is 3.2.1 at the time of this writing to gain protection against this vulnerability. We highly recommend that Wordfence Premium, Care, and Response users update as well as the update contains a number of additional bugfixes.
Description: Unauthenticated Stored Cross-Site Scripting
Affected Plugin: Metform Elementor Contact Form Builder
Plugin Slug: metform
Affected Versions:
Source: wordfence.com