CVE-2023-0709

Name of the Vulnerable Software and Affected Versions The Metform Elementor Contact Form Builder for WordPress versions up to, and including, 3.3.0

Description The issue allows authenticated attackers with contributor-level permissions or above to inject arbitrary web scripts in pages. This is achieved by using the 'mf last name' shortcode to echo unescaped form submissions. The script is stored in the site database and will execute when a victim visits a page containing the shortcode with the submission id present in the query string. Note that user interaction is required, as the victim must visit a crafted link with the form entry id for the JavaScript to execute.

Recommendations For versions up to, and including, 3.3.0, update to a version higher than 3.3.0 to resolve the issue. As a temporary workaround, consider disabling the use of the 'mf last name' shortcode until a patch is available. Restrict access to pages that contain the shortcode to minimize the risk of exploitation. Avoid using the shortcode in pages that can be accessed by untrusted users until the issue is resolved.