CVE-2023-0708

Name of the Vulnerable Software and Affected Versions Metform Elementor Contact Form Builder for WordPress versions up to, and including, 3.3.0

Description The issue allows authenticated attackers with contributor-level permissions or above to inject arbitrary web scripts in pages using the mf first name shortcode. This occurs because the shortcode echoes unescaped form submissions, enabling the injection of scripts that will execute when a victim visits a page containing the shortcode and the submission id is present in the query string. The script is stored in the site database, and execution requires user interaction, such as visiting a crafted link with the form entry id.

Recommendations For Metform Elementor Contact Form Builder for WordPress versions up to, and including, 3.3.0, consider disabling the use of the mf first name shortcode until a patch is available to prevent the injection of arbitrary web scripts. Additionally, restrict access to form submissions and limit contributor-level permissions to minimize the risk of exploitation.