The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the mf shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about any standard form field of any form submission.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Metform_elementor_contact_form_builder | Wpmet | * | 3.3.1 (including) |
References
- https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078
- https://plugins.trac.wordpress.org/changeset/2910040/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1a8b194c-371f-4adc-98fa-8f4e47a38ee7?source=cve
- https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078
- https://plugins.trac.wordpress.org/changeset/2910040/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1a8b194c-371f-4adc-98fa-8f4e47a38ee7?source=cve