4.3

CVE-2023-0689

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter's first name.
Mögliche Gegenmaßnahme
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor: Update to version 3.3.2, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WpmetMetform Elementor Contact Form Builder SwPlatformwordpress Version < 3.3.2
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Version *-3.3.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.46% 0.363
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@wordfence.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078
Product
https://plugins.trac.wordpress.org/changeset/2910040/
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/356cf06e-16e7-438b-83b5-c8a52a21f903?source=cve
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/356cf06e-16e7-438b-83b5-c8a52a21f903
Third Party Advisory