CVE-2023-0710

Name of the Vulnerable Software and Affected Versions Metform Elementor Contact Form Builder for WordPress versions up to, and including, 3.3.0

Description The issue allows authenticated attackers with contributor-level permissions or above to inject arbitrary web scripts in pages using the fname attribute of the mf thankyou shortcode. This occurs when the submission id is present in the query string, and the victim visits a crafted link. The script is stored in the site database, and successful payment is required, increasing the complexity of the attack. User interaction is necessary for the JavaScript to execute.

Recommendations For Metform Elementor Contact Form Builder for WordPress versions up to, and including, 3.3.0, update to a version higher than 3.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the mf thankyou shortcode or disabling the fname attribute to minimize the risk of exploitation.