CVE-2023-0695 in Metform Elementor Contact Form Builder Plugininfo

Summary

by MITRE • 06/09/2023

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a specific link. Note that getting the JavaScript to execute still requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/09/2026

The vulnerability identified as CVE-2023-0695 affects the Metform Elementor Contact Form Builder plugin for WordPress, specifically impacting versions up to and including 3.3.0. This represents a significant security flaw that exploits a cross-site scripting vulnerability through the mf shortcode functionality. The vulnerability is particularly concerning because it allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into the WordPress environment, creating a persistent threat vector that can be executed when victims visit specific crafted links containing form entry identifiers.

The technical flaw stems from improper output escaping within the plugin's handling of form submissions. When the mf shortcode processes form data, it fails to properly sanitize or escape the content before rendering it in web pages, creating an XSS vulnerability that falls under CWE-79 - Improper Neutralization of Input During Web Page Generation. This vulnerability exists because the plugin does not adequately validate or escape user-supplied input that gets echoed back to users through the shortcode mechanism, allowing attackers to store malicious JavaScript code within the site's database through legitimate form submissions.

The operational impact of this vulnerability extends beyond simple script injection, as it creates a persistent threat that can be exploited repeatedly. Attackers with contributor-level access can craft malicious form entries that contain JavaScript code, which then gets stored in the database and executed whenever victims visit specific links containing the form entry IDs. This requires user interaction to trigger the execution but eliminates the need for additional exploitation steps once the malicious payload is stored, making it a particularly dangerous vulnerability for sites with multiple contributors or users with elevated permissions. The attack vector requires victims to click on crafted links, but the actual payload execution occurs server-side through the stored form data.

Mitigation strategies should focus on immediate plugin updates to versions that address this vulnerability, as well as implementing additional security measures such as input validation and output escaping throughout the application. Organizations should also consider restricting contributor-level permissions to minimize the attack surface, implementing web application firewalls to detect and block suspicious script injection attempts, and conducting regular security audits of form handling mechanisms. The vulnerability aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as attackers could potentially use this vulnerability to deliver malicious payloads through crafted form submissions that appear legitimate to end users. Additionally, this vulnerability demonstrates the importance of proper input sanitization and output escaping practices as outlined in OWASP Top Ten 2021 category A03: Injection, which emphasizes the critical need for proper data validation and sanitization in web applications.

Responsible

Wordfence

Reservation

02/06/2023

Disclosure

06/09/2023

Moderation

accepted

CPE

ready

EPSS

0.00416

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!