CVE-2023-6788

Name of the Vulnerable Software and Affected Versions Metform Elementor Contact Form Builder plugin for WordPress versions up to, and including, 3.8.1

Description The issue is due to missing or incorrect nonce validation on the contents function, making it possible for unauthenticated attackers to update certain options via a forged request. This could allow an attacker to connect their own Hubspot account to a victim site's metform to obtain leads and contacts. The attacker would need to trick a site administrator into performing an action, such as clicking on a link.

Recommendations For versions up to, and including, 3.8.1, update to a version higher than 3.8.1 to resolve the issue. As a temporary workaround, consider restricting access to the contents function until a patch is available. Avoid using the options mf hubsopt token, mf hubsopt refresh token, mf hubsopt token type, and mf hubsopt expires in in the affected plugin until the issue is resolved.