WordPress Metform Elementor Contact Form Builder Plugin Vulnerability
- News
- September 4, 2023
- No Comment
- 130
[ad_1]
The U.S. authorities Nationwide Vulnerability Database (NVD) issued an advisory a couple of vulnerability affecting Metform Elementor Contact Kind Builder WordPress plugin that might leak delicate info.
Metform Elementor Contact Kind Builder for WordPress
The Metform Elementor Contact Kind builder is a 3rd celebration add-on to the favored Elementor web page builder plugin with over over 200,000 installations.
It provides a drag-and-drop interface that makes it simple to construct contact varieties, together with multi-step varieties.
The Metform contact type builder WordPress plugin for Elementor permits newbies with no coding abilities to create surveys varieties, contact varieties, referral suggestions varieties and in addition can save a type so {that a} person can return to the shape in the event that they lose and regain Web connection.
In accordance with the official WordPress plugin repository:
“MetForm, the drag-and-drop WordPress contact type builder is an addon for Elementor, construct any quick and safe contact type on the fly with its drag-and-drop flexibility.
It may well handle a number of contact varieties, and you may customise the multi step type with an Elementor builder.”
Info Disclosure Vulnerability
The vulnerability permits an attacker to acquire delicate info.
This vulnerability is rated by the NVD as a medium stage risk as a result of it requires an attacker to acquire a subscriber-level or greater person function.
A subscriber-level person function is a comparatively low bar for activating the exploit, because it’s simpler to acquire than an admin or editor stage person function.
An attacker solely must subscribe to a web site so as to have the ability to launch an assault.
Elementor’s web site describes the subscriber user role:
“A WordPress subscriber is a website person who can solely edit their profile, learn posts, and go away feedback.
WordPress makes use of the idea of ‘roles’ to allow a website proprietor to regulate and handle what set of duties (capabilities) customers can do or not do inside the website.
A subscriber is the bottom stage of person function with the fewest permissions.”
Thus, an attacker can start hacking the positioning with the bottom stage person function.
The NVD describes the threat:
“The Metform Elementor Contact Kind Builder for WordPress is weak to Info Disclosure by way of the ‘mf_first_name’ shortcode in variations as much as, and together with, 3.3.1.
This enables authenticated attackers, with subscriber-level capabilities or above to acquire delicate details about arbitrary type submissions, together with the submitter’s first title.”
Replace Plugin To Mitigate Assault Menace
This vulnerability impacts Metform Elementor Contact Kind Builder plugin variations as much as and together with 3.3.1.
Probably the most present model of the plugin is 3.4.0.
Metform Elementor Contact Kind Builder Model 3.3.2 is the model that mounted the vulnerability.
In accordance with the official Metform Elementor Contact Form Builder Changelog:
“Model 3.3.2
…Improved: Safety, nonce and authorization checking.”
Learn the official NVD advisory:
Featured picture by Shutterstock/pedrorsfernandes
[ad_2]
Source link