CVE-2023-0084 in Metform Elementor Contact Form Builder
Summary
by MITRE • 03/02/2023
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2023-0084 affects the Metform Elementor Contact Form Builder plugin for WordPress, specifically impacting versions up to and including 3.1.2. This represents a critical security flaw that exploits the plugin's inadequate input sanitization and output escaping mechanisms within its form text areas. The vulnerability exists within the plugin's handling of user-submitted data, creating an avenue for malicious actors to inject persistent script code that can execute in the context of other users' browsers.
The technical nature of this vulnerability classifies it as a stored cross-site scripting flaw, which operates through the manipulation of form submission data that gets stored in the WordPress database. When unauthenticated attackers craft malicious payloads and submit them through the contact form interface, these inputs are not properly sanitized before being stored and subsequently displayed on the submissions page. The lack of proper output escaping means that when legitimate users access these stored submissions, their browsers execute the injected malicious scripts, potentially leading to session hijacking, credential theft, or other malicious activities.
The operational impact of CVE-2023-0084 extends beyond simple script injection, as it creates a persistent threat vector that can affect all users who access the affected submissions page. Attackers can leverage this vulnerability to execute arbitrary web scripts in the context of authenticated users, potentially escalating privileges or gaining unauthorized access to sensitive data. The vulnerability's presence in the submissions page makes it particularly dangerous as it can affect administrators and other privileged users who regularly review form submissions, creating a high-risk scenario for organizations relying on the plugin for contact form functionality.
This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in software applications. The weakness stems from insufficient input validation and output escaping practices within the plugin's data handling pipeline, making it susceptible to malicious payload injection. From an attack perspective, this vulnerability maps to several ATT&CK techniques including T1566 for social engineering and T1059 for command and scripting interpreter usage, as attackers can leverage the stored scripts to execute further malicious operations. The lack of proper sanitization and escaping creates a persistent threat that can be exploited by attackers without requiring authentication, making it particularly concerning for WordPress environments where such plugins are widely deployed.
Organizations should immediately update to the latest version of the Metform Elementor Contact Form Builder plugin to remediate this vulnerability, as the affected versions contain known security flaws that can be exploited by threat actors. System administrators should also implement additional monitoring of form submission data and consider implementing web application firewalls to detect and block suspicious script injections. Regular security audits of WordPress plugins and themes should include verification of input sanitization and output escaping mechanisms to prevent similar vulnerabilities from being introduced into production environments.