CVE-2023-0695: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf' shortcode to echo unescaped form...
Description
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a specific link. Note that getting the JavaScript to execute still requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database.
Classification
CVE ID: CVE-2023-0695
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.4
Affected Products
Vendor: xpeedstudio
Product: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.06% (probability of being exploited)
EPSS Percentile: 30.58% (scored less or equal to compared to others)
EPSS Date: 2025-02-03 (when was this score calculated)
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/1c866d8d-399c-4bda-a3c9-17c7e5d2ffb8?source=cvehttps://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078