CVE-2023-0721: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows...

8.3 CVSS

Description

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Classification

CVE ID: CVE-2023-0721

CVSS Base Severity: HIGH

CVSS Base Score: 8.3

Affected Products

Vendor: xpeedstudio

Product: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.14% (probability of being exploited)

EPSS Percentile: 50.93% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/ccd85a72-1872-4c4f-8ba7-7f91b0b37d4a?source=cve
https://plugins.trac.wordpress.org/browser/metform/trunk/core/entries/export.php?rev=2845078
https://plugins.trac.wordpress.org/changeset/2907471/

Timeline

2024-12-24 00:30:16 UTC
CVE

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows...