cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2023-0714,https://securityvulnerability.io/vulnerability/CVE-2023-0714,Double Extension Attack Vulnerability in Metform Contact Form Builder,"The Metform Elementor Contact Form Builder for WordPress is susceptible to an arbitrary file upload vulnerability caused by inadequate file type validation. This issue is present in versions up to and including 3.2.4. Attackers can exploit this weakness by executing a 'double extension' attack, allowing them to upload files disguised with benign extensions while concealing malicious payloads. In certain configurations, this vulnerability may lead to remote code execution, which poses a significant risk to the security of affected WordPress installations. Proper validation and sanitation of file uploads is crucial to mitigate this risk.",Wordpress,"Metform – Contact Form, Survey, Quiz, & Custom Form Builder For Elementor",8.1,HIGH,0.0006300000241026282,false,,false,false,false,,false,false,2024-08-17T09:38:58.449Z,0
CVE-2024-4266,https://securityvulnerability.io/vulnerability/CVE-2024-4266,Sensitive Information Exposure Vulnerability in MetForm Plugin,"The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handle_file' function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users.",Wordpress,"Metform – Contact Form, Survey, Quiz, & Custom Form Builder For Elementor",5.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-06-11T07:32:25.511Z,0
CVE-2024-1585,https://securityvulnerability.io/vulnerability/CVE-2024-1585,Stored Cross-Site Scripting in Metform Elementor Contact Form Builder Plugin by WordPress,"The Metform Elementor Contact Form Builder plugin for WordPress suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to inadequate input sanitization and output escaping of user-provided attributes in its shortcodes. This flaw allows authenticated attackers, with contributor-level permissions and higher, to inject arbitrary scripts into web pages. When a user accesses these compromised pages, the malicious scripts execute, potentially compromising user data and overall site security.",Wordpress,Metform Elementor Contact Form Builder,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-03-13T15:26:42.210Z,0
CVE-2023-6788,https://securityvulnerability.io/vulnerability/CVE-2023-6788,Cross-Site Request Forgery Vulnerability in Metform Elementor Contact Form Builder Plugin for WordPress,"The Metform Elementor Contact Form Builder plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability affecting all versions up to and including 3.8.1. This flaw arises from inadequate nonce validation in the contents function, allowing unauthenticated attackers to manipulate critical application options. By tricking a site administrator into making a malicious request, an attacker can connect a rogue Hubspot account to the compromised site, enabling them to capture sensitive leads and contacts.",Wordpress,Metform Elementor Contact Form Builder,5.4,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2024-01-09T04:15:00.000Z,0
CVE-2023-0689,https://securityvulnerability.io/vulnerability/CVE-2023-0689,Information Disclosure Vulnerability in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder for WordPress is susceptible to an information disclosure vulnerability due to the use of the 'mf_first_name' shortcode. Authenticated users with subscriber-level access or higher can exploit this issue to access sensitive information from arbitrary form submissions, including the submitter's first name. This vulnerability highlights the importance of securing form data and implementing adequate user permissions to prevent unauthorized information access.",Wordpress,Metform Elementor Contact Form Builder,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2023-08-31T06:15:00.000Z,0
CVE-2023-2517,https://securityvulnerability.io/vulnerability/CVE-2023-2517,Cross-Site Request Forgery Vulnerability in Metform Elementor Contact Form Builder Plugin,The Metform Elementor Contact Form Builder plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit Cross-Site Request Forgery due to improper nonce validation on the permalink_setup function. Attackers can manipulate a site's permalink structure by tricking an administrator into performing unintended actions. This vulnerability highlights the importance of correctly implementing nonce verification to enhance security against such attacks.,Wordpress,Metform Elementor Contact Form Builder,5.4,MEDIUM,0.0011500000255182385,false,,false,false,false,,false,false,2023-07-12T05:15:00.000Z,0
CVE-2023-0695,https://securityvulnerability.io/vulnerability/CVE-2023-0695,Cross-Site Scripting Vulnerability in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder for WordPress has a Cross-Site Scripting vulnerability where the 'mf' shortcode improperly outputs unescaped form submissions. This flaw affects versions up to 3.3.0 and allows authenticated users with contributor-level permissions or higher to inject malicious web scripts into pages. While user interaction is necessary for the execution of the injected script—since victims must click a specially crafted link containing the form entry ID—the payload is stored in the site's database, posing a significant security risk.",Wordpress,Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress,5.4,MEDIUM,0.0006399999838322401,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0709,https://securityvulnerability.io/vulnerability/CVE-2023-0709,Cross-Site Scripting in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder for WordPress is susceptible to Cross-Site Scripting (XSS) due to improper handling of the 'mf_last_name' shortcode, which echoes unescaped user submissions. This vulnerability affects versions up to and including 3.3.0. Authenticated attackers with contributor-level permissions can exploit this flaw to inject malicious scripts, which may execute when unsuspecting users visit a constructed link containing the submission ID. The injected script is stored within the website's database, adding to the risk.",Wordpress,Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress,5.4,MEDIUM,0.0007800000021234155,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0710,https://securityvulnerability.io/vulnerability/CVE-2023-0710,Cross-Site Scripting Vulnerability in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder plugin for WordPress contains a Cross-Site Scripting vulnerability. This issue arises from the use of the 'fname' attribute within the 'mf_thankyou' shortcode, which allows unescaped form submissions to be echoed. The flaw affects versions up to and including 3.3.0. Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability by injecting arbitrary web scripts into pages where the shortcode is used. These malicious scripts execute when victims visit a page that incorporates the submission ID in the query string. While user interaction is necessary to activate the script by visiting a specially crafted link, the script itself is stored in the site's database, and successful exploitation requires a successful payment, adding to the complexity of the attack.",Wordpress,Metform Elementor Contact Form Builder – Flexible And Design-friendly Contact Form Builder Plugin For WordPress,4.9,MEDIUM,0.0006399999838322401,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0721,https://securityvulnerability.io/vulnerability/CVE-2023-0721,CSV Injection Vulnerability in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder plugin for WordPress contains a vulnerability that allows unauthenticated attackers to insert untrusted input into CSV files during export. Versions up to and including 3.3.0 are affected. When these manipulated CSV files are downloaded and opened in a vulnerable environment, they can lead to unintended code execution, potentially compromising system security.",Wordpress,Metform Elementor Contact Form Builder – Flexible And Design-friendly Contact Form Builder Plugin For WordPress,8.3,HIGH,0.0014199999859556556,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-1843,https://securityvulnerability.io/vulnerability/CVE-2023-1843,Unauthorized Permalink Structure Update in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder plugin for WordPress contains a security flaw that allows unauthenticated users to modify the permalink structure due to a missing capability check in the permalink_setup function. Versions up to and including 3.3.0 are affected, creating potential for attackers to exploit this weakness and alter critical functionality without proper authentication. It is crucial for users to update their plugin to mitigate this risk.",Wordpress,Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress,5.3,MEDIUM,0.0011399999493733048,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0708,https://securityvulnerability.io/vulnerability/CVE-2023-0708,Cross-Site Scripting Vulnerability in Metform Contact Form Builder by WordPress,"The Metform Elementor Contact Form Builder for WordPress contains a vulnerability that allows authenticated attackers with contributor-level permissions or higher to inject arbitrary scripts. This is accomplished through the use of the 'mf_first_name' shortcode, which improperly handles unescaped form submissions in pages. When a victim visits a page that includes the shortcode and submission ID in the query string, the injected script executes. Although user interaction is required to trigger the script, it poses significant risks as the malicious JavaScript is stored in the site database.",Wordpress,Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress,5.4,MEDIUM,0.0007800000021234155,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0688,https://securityvulnerability.io/vulnerability/CVE-2023-0688,Information Disclosure in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder for WordPress presents a vulnerability that enables authenticated attackers with subscriber-level access or higher to exploit the 'mf_thankyou' shortcode. This flaw allows the unauthorized retrieval of sensitive data related to form submissions, including payment statuses and transaction IDs. Users of versions up to and including 3.3.1 are particularly at risk, highlighting the importance of updating to secure versions to protect sensitive information from potential exposure.",Wordpress,Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress,6.5,MEDIUM,0.0009500000160187483,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0691,https://securityvulnerability.io/vulnerability/CVE-2023-0691,Information Disclosure in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder plugin for WordPress exhibits a vulnerability that permits authenticated users with subscriber-level permissions or higher to exploit the 'mf_last_name' shortcode. This flaw enables the disclosure of sensitive information, specifically the last names of individuals who have submitted forms, raising concerns about the privacy and confidentiality of user data.",Wordpress,Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress,4.3,MEDIUM,0.0005499999970197678,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0692,https://securityvulnerability.io/vulnerability/CVE-2023-0692,Information Disclosure in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder for WordPress suffers from an information disclosure vulnerability due to improper handling of the 'mf_payment_status' shortcode. This issue allows authenticated attackers, holding subscriber-level privileges or higher, to access sensitive details regarding the payment status of various form submissions. Users should ensure they update to the latest version to mitigate risks associated with this vulnerability.",Wordpress,Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress,4.3,MEDIUM,0.0005499999970197678,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0693,https://securityvulnerability.io/vulnerability/CVE-2023-0693,Information Disclosure in Metform Elementor Contact Form Builder for WordPress,"The Metform Elementor Contact Form Builder for WordPress has a vulnerability that permits authenticated users with subscriber-level access or higher to exploit the 'mf_transaction_id' shortcode. This vulnerability can lead to unauthorized access to sensitive transaction IDs related to form submissions that include payment information. It affects all versions up to and including 3.3.1, potentially putting user data at risk.",Wordpress,Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress,4.3,MEDIUM,0.0005499999970197678,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0694,https://securityvulnerability.io/vulnerability/CVE-2023-0694,Information Disclosure Vulnerability in Metform Plugin for WordPress,"The Metform Elementor Contact Form Builder for WordPress contains a vulnerability that exposes sensitive information through the 'mf' shortcode. Authenticated attackers with subscriber-level capabilities or higher can exploit this flaw to access confidential data from standard form fields in any submission. This raises significant concerns for user privacy and data security, making it imperative for website administrators to update and secure their installations.",Wordpress,Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress,4.3,MEDIUM,0.0005499999970197678,false,,false,false,false,,false,false,2023-06-09T06:15:00.000Z,0
CVE-2023-0084,https://securityvulnerability.io/vulnerability/CVE-2023-0084,Stored Cross-Site Scripting Vulnerability in Metform Elementor Contact Form Builder Plugin for WordPress,"The Metform Elementor Contact Form Builder plugin for WordPress is prone to a Stored Cross-Site Scripting vulnerability due to inadequate sanitization and escaping of user input. This security flaw affects versions up to 3.1.2 and allows attackers, without authentication, to inject arbitrary scripts into form text areas. These scripts execute in the browsers of users visiting the compromised submissions page, potentially leading to data theft and session hijacking.",Wordpress,Metform Elementor Contact Form Builder – Flexible And Design-friendly Contact Form Builder Plugin For WordPress,7.2,HIGH,0.0019099999917671084,false,,false,false,false,,false,false,2023-03-02T19:15:00.000Z,0
CVE-2023-0085,https://securityvulnerability.io/vulnerability/CVE-2023-0085,ReCaptcha Bypass in Metform Elementor Contact Form Builder Plugin for WordPress,"The Metform Elementor Contact Form Builder plugin for WordPress is susceptible to a reCaptcha bypass that arises from inadequate server-side validation of the captcha data submitted with forms. This vulnerability allows unauthenticated attackers to circumvent reCaptcha protections, potentially enabling automated bots to submit forms maliciously. It is crucial for users of the Metform plugin to ensure they are running the latest versions to mitigate risks associated with this flaw.",Wordpress,Metform Elementor Contact Form Builder – Flexible And Design-friendly Contact Form Builder Plugin For WordPress,5.3,MEDIUM,0.0008200000156648457,false,,false,false,false,,false,false,2023-03-02T17:15:00.000Z,0
CVE-2022-1442,https://securityvulnerability.io/vulnerability/CVE-2022-1442,Metform Elementor Contact Form Builder <= 2.1.3 - Sensitive Information Disclosure,"The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.",Wordpress,"Metform Elementor Contact Form Builder ",7.5,HIGH,0.12751999497413635,false,,false,false,true,true,false,false,2022-05-10T19:30:12.000Z,0