cleantalk
Vulnerabilities and Security Researches

Metform Elementor Contact Form Builder, CVE-2023-0709

CVE, Research URL

CVE-2023-0709

Home page URL

Security reports for Metform Elementor Contact Form Builder

Application

Metform Elementor Contact Form Builder

Published on
Jun 09, 2023
Research Description
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_last_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database.
Affected versions
Min -, max 3.3.1.
Status
vulnerable
Previous vulnerability researches
Metform Elementor Contact Form Builder (CVE-2025-30914) , Apr 01, 2025
Metform Elementor Contact Form Builder (CVE-2023-50903) , Jun 10, 2024
Metform Elementor Contact Form Builder (CVE-2024-4266) , Jun 14, 2024
Metform Elementor Contact Form Builder (CVE-2023-0709) , Jun 06, 2024
Metform Elementor Contact Form Builder (CVE-2022-1442) , Jun 06, 2024
New vulnerability
Customizable WordPress Gallery Plugin – Modula Image Gallery (CVE-2024-9416) , Apr 04, 2025
Contact Form vCard Generator (CVE-2025-31582) , Apr 04, 2025
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) (CVE-2025-1663) , Apr 04, 2025
AI Search Bar (CVE-2025-31563) , Apr 04, 2025
Ship Per Product (CVE-2025-31773) , Apr 04, 2025