cbcvebase.

Wpmet Metform Elementor Contact Form Builder vulnerabilities

23 known vulnerabilities affecting wpmet/metform_elementor_contact_form_builder.

Total CVEs
23
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4MEDIUM17

Vulnerabilities

Page 1 of 2
CVE-2022-1442P2HIGHCVSS 7.5PoCfixed in 2.1.42022-05-10
CVE-2022-1442 [HIGH] CWE-862 CVE-2022-1442: The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper acces The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in ver
nvd
CVE-2023-0084P3MEDIUMCVSS 6.1PoC≤ 3.1.22023-03-02
CVE-2023-0084 [MEDIUM] CWE-79 CVE-2023-0084: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site S The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever
nvd
CVE-2023-0714P2CRITICALCVSS 9.8fixed in 3.3.02024-08-17
CVE-2023-0714 [CRITICAL] CWE-434 CVE-2023-0714: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may ma
nvd
CVE-2024-33570P3HIGHCVSS 8.8fixed in 3.8.42024-05-06
CVE-2024-33570 [HIGH] CWE-862 CVE-2024-33570: Missing Authorization vulnerability in Roxnor Metform metform.This issue affects Metform: from n/a t Missing Authorization vulnerability in Roxnor Metform metform.This issue affects Metform: from n/a through <= 3.8.3.
nvd
CVE-2023-50903P3CRITICALCVSS 9.8fixed in 3.4.12024-12-09
CVE-2023-50903 [CRITICAL] CWE-862 CVE-2023-50903: Missing Authorization vulnerability in Roxnor Metform metform allows Exploiting Incorrectly Configur Missing Authorization vulnerability in Roxnor Metform metform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Metform: from n/a through <= 3.4.0.
nvd
CVE-2024-4266P3HIGHCVSS 7.5fixed in 3.8.92024-06-11
CVE-2024-4266 [HIGH] CWE-200 CVE-2024-4266: The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress i The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handle_file' function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by
nvd
CVE-2023-0721P3HIGHCVSS 7.8≤ 3.3.02023-06-09
CVE-2023-0721 [HIGH] CWE-1236 CVE-2023-0721: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in ve The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
nvd
CVE-2023-0688P3MEDIUMCVSS 6.5≤ 3.3.12023-06-09
CVE-2023-0688 [MEDIUM] CWE-639 CVE-2023-0688: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_thankyou' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about form submissions, including payment status, and transaction ID.
nvd
CVE-2023-0085P4MEDIUMCVSS 5.3≤ 3.2.12023-03-02
CVE-2023-0085 [MEDIUM] CWE-693 CVE-2023-0085: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to reCaptcha Bypass in The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to reCaptcha Bypass in versions up to, and including, 3.2.1. This is due to insufficient server side checking on the captcha value submitted during a form submission. This makes it possible for unauthenticated attackers to bypass Captcha restrictions and for attackers to uti
nvd
CVE-2023-1843P4MEDIUMCVSS 5.3≤ 3.3.02023-06-09
CVE-2023-1843 [MEDIUM] CWE-862 CVE-2023-1843: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permal The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalink_setup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the permalink structure.
nvd
CVE-2023-0708P4MEDIUMCVSS 5.4≤ 3.3.02023-06-09
CVE-2023-0708 [MEDIUM] CWE-79 CVE-2023-0708: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by us The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_first_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute whe
nvd
CVE-2023-0709P4MEDIUMCVSS 5.4≤ 3.3.02023-06-09
CVE-2023-0709 [MEDIUM] CWE-79 CVE-2023-0709: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by us The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_last_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when
nvd
CVE-2023-0695P4MEDIUMCVSS 5.4≤ 3.3.02023-06-09
CVE-2023-0695 [MEDIUM] CWE-79 CVE-2023-0695: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by us The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victi
nvd
CVE-2023-0710P4MEDIUMCVSS 5.4≤ 3.3.02023-06-09
CVE-2023-0710 [MEDIUM] CWE-79 CVE-2023-0710: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by us The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'fname' attribute of the 'mf_thankyou' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in page
nvd
CVE-2023-6788P4MEDIUMCVSS 5.4≤ 3.8.12024-01-09
CVE-2023-6788 [MEDIUM] CWE-352 CVE-2023-6788: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.1. This is due to missing or incorrect nonce validation on the contents function. This makes it possible for unauthenticated attackers to update the options "mf_hubsopt_token", "mf_hubsopt_refresh_token",
nvd
CVE-2024-1585P4MEDIUMCVSS 5.4fixed in 3.8.42024-03-13
CVE-2024-1585 [MEDIUM] CWE-79 CVE-2024-1585: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site S The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above
nvd
CVE-2023-0693P4MEDIUMCVSS 4.3≤ 3.3.12023-06-09
CVE-2023-0693 [MEDIUM] CWE-639 CVE-2023-0693: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_transaction_id' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the transaction ids of arbitrary form submissions that inc
nvd
CVE-2024-2791P4MEDIUMCVSS 5.4fixed in 3.8.62024-04-02
CVE-2024-2791 [MEDIUM] CWE-79 CVE-2024-2791: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site S The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 3.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and ab
nvd
CVE-2023-0692P4MEDIUMCVSS 4.3≤ 3.3.12023-06-09
CVE-2023-0692 [MEDIUM] CWE-639 CVE-2023-0692: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_payment_status' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions.
nvd
CVE-2023-0691P4MEDIUMCVSS 4.3≤ 3.3.12023-06-09
CVE-2023-0691 [MEDIUM] CWE-639 CVE-2023-0691: The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, specifically the submitter's last n
nvd
Wpmet Metform Elementor Contact Form Builder vulnerabilities | cvebase