CVE-2023-0709 in Metform Elementor Contact Form Builder Plugin
Summary
by MITRE • 06/09/2023
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_last_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2023-0709 affects the Metform Elementor Contact Form Builder plugin for WordPress, representing a significant security weakness that enables cross-site scripting attacks through improper input sanitization. This flaw exists in versions up to and including 3.3.0, making a substantial portion of WordPress installations potentially vulnerable. The vulnerability specifically manifests when the 'mf_last_name' shortcode processes form submissions without adequate escaping of user-provided data, creating an environment where malicious scripts can be stored and executed within the target system.
The technical exploitation of this vulnerability requires an authenticated attacker possessing contributor-level permissions or higher, which represents a concerning privilege escalation risk since contributors typically have significant write access to WordPress sites. The flaw operates through the injection of malicious JavaScript code into the form submission data, which is then stored in the site's database. When victims visit pages containing the affected shortcode with a specific form entry id present in the query string, the stored malicious script executes in their browser context, creating a persistent cross-site scripting vector that can be leveraged for various malicious activities.
This vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in web applications, and demonstrates how improper output encoding can create persistent security risks within content management systems. The attack vector requires user interaction, as victims must visit a crafted link containing the form entry id, but once executed, the script operates with the privileges of the victim's browser session. The persistence of the malicious code in the database makes this vulnerability particularly dangerous, as it can affect multiple users over time without requiring repeated exploitation attempts.
The operational impact of CVE-2023-0709 extends beyond simple script execution, potentially enabling attackers to perform session hijacking, data exfiltration, and other malicious activities that compromise user privacy and system integrity. The vulnerability affects the core functionality of contact form submissions within WordPress environments, making it particularly attractive to attackers targeting WordPress sites that rely heavily on form-based user interactions. Organizations using the Metform plugin must consider the potential for credential theft, cookie manipulation, and other browser-based attacks that could compromise their entire user base.
Mitigation strategies should prioritize immediate plugin updates to versions that address this vulnerability, as recommended by the plugin developers and security vendors. Administrators should also implement additional security measures including input validation, output escaping, and regular security audits of form submissions. The vulnerability demonstrates the importance of proper sanitization practices in web applications, particularly when handling user-generated content that will be displayed in web pages. Organizations should also consider implementing web application firewalls and monitoring for suspicious form submission patterns that might indicate exploitation attempts, as the vulnerability can be leveraged for more sophisticated attacks when combined with other security weaknesses in the target environment.