WordPress Metform Elementor Contact Form Builder Plugin Vulnerability

Thus, an attacker can begin hacking the site with the lowest level user role.

Featured image by Shutterstock/pedrorsfernandes



منبع

Elementor’s website describes the subscriber user role:

“A WordPress subscriber is a site user who can only edit their profile, read posts, and leave comments.

The Metform Elementor Contact Form builder is a third party add-on to the popular Elementor page builder plugin with over over 200,000 installations.

“MetForm, the drag-and-drop WordPress contact form builder is an addon for Elementor, build any fast and secure contact form on the fly with its drag-and-drop flexibility.

“Version 3.3.2

It can manage multiple contact forms, and you can customize the multi step form with an Elementor builder.”

Information Disclosure Vulnerability

This vulnerability is rated by the NVD as a medium level threat because it requires an attacker to obtain a subscriber-level or higher user role.

This vulnerability affects Metform Elementor Contact Form Builder plugin versions up to and including 3.3.1.

An attacker only needs to subscribe to a website in order to be able to launch an attack.

The U.S. government National Vulnerability Database (NVD) issued an advisory about a vulnerability affecting Metform Elementor Contact Form Builder WordPress plugin that could leak sensitive information.

Metform Elementor Contact Form Builder for WordPress

A subscriber-level user role is a relatively low bar for activating the exploit, as it’s easier to obtain than an admin or editor level user role.

According to the official Metform Elementor Contact Form Builder Changelog:

…Improved: Security, nonce and authorization checking.”

The most current version of the plugin is 3.4.0.

CVE-2023-0689 Detail

Read the official NVD advisory:

The Metform contact form builder WordPress plugin for Elementor allows beginners with no coding skills to create surveys forms, contact forms, referral feedback forms and also can save a form so that a user can return to the form if they lose and regain Internet connection.

Metform Elementor Contact Form Builder Version 3.3.2 is the version that fixed the vulnerability.

“The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the ‘mf_first_name’ shortcode in versions up to, and including, 3.3.1.

WordPress uses the concept of ‘roles’ to enable a site owner to control and manage what set of tasks (capabilities) users can do or not do within the site.

According to the official WordPress plugin repository:

A subscriber is the lowest level of user role with the fewest permissions.”

It offers a drag-and-drop interface that makes it easy to build contact forms, including multi-step forms.

This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter’s first name.”

Update Plugin To Mitigate Attack Threat

The vulnerability allows an attacker to obtain sensitive information.

The NVD describes the threat: