CVE-2023-0695

Name of the Vulnerable Software and Affected Versions Metform Elementor Contact Form Builder for WordPress versions up to, and including, 3.3.0

Description The issue allows authenticated attackers with contributor-level permissions or above to inject arbitrary web scripts in pages. This is achieved by using the 'mf' shortcode to echo unescaped form submissions, which can lead to Cross-Site Scripting. The script is stored in the site database and will execute when a victim visits a specific crafted link containing the form entry id. Note that user interaction is required for the JavaScript to execute.

Recommendations For Metform Elementor Contact Form Builder for WordPress versions up to, and including, 3.3.0, update to a version higher than 3.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the mf shortcode for users with contributor-level permissions or above until a patch is available.