CVE-2023-1843
published 2023-06-09CVE-2023-1843: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.63%
45.6th percentile
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalink_setup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the permalink structure.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpmet | metform_elementor_contact_form_builder | <= 3.3.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Metform Elementor Contact Form Builder up to 3.3.0 on WordPress authorization
vuldb·2026-04-10·CVSS 6.5
CVE-2023-1843 [MEDIUM] Metform Elementor Contact Form Builder up to 3.3.0 on WordPress authorization
A vulnerability has been found in Metform Elementor Contact Form Builder up to 3.3.0 on WordPress and classified as critical. Affected is an unknown function. This manipulation causes missing authorization.
This vulnerability is tracked as CVE-2023-1843. The attack is possible to be carried out remotely. No exploit exists.
GHSA
GHSA-66qg-wxc5-mpwc: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability c
ghsa_unreviewed·2023-06-09
CVE-2023-1843 [MEDIUM] CWE-862 GHSA-66qg-wxc5-mpwc: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability c
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalink_setup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the permalink structure.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/metform/trunk/plugin.php#L544https://plugins.trac.wordpress.org/changeset/2907471/https://www.wordfence.com/threat-intel/vulnerabilities/id/5db00eb6-3e05-42fa-bb84-2df4bcae3955?source=cvehttps://plugins.trac.wordpress.org/browser/metform/trunk/plugin.php#L544https://plugins.trac.wordpress.org/changeset/2907471/https://www.wordfence.com/threat-intel/vulnerabilities/id/5db00eb6-3e05-42fa-bb84-2df4bcae3955?source=cve
2023-06-09
Published