CVE-2024-1585 in Metform Elementor Contact Form Builder Plugininfo

Summary

by MITRE • 03/13/2024

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/17/2025

The vulnerability identified as CVE-2024-1585 affects the Metform Elementor Contact Form Builder plugin for WordPress, representing a critical stored cross-site scripting weakness that has significant implications for website security. This vulnerability exists in all plugin versions up to and including 3.8.3, making it a widespread concern for WordPress administrators who rely on this popular form building tool. The flaw specifically resides in the plugin's shortcode implementation where user-supplied attributes are not properly sanitized or escaped before being rendered in web pages. This allows malicious actors to inject persistent malicious scripts that can execute in the context of other users' browsers when they access pages containing the vulnerable shortcode.

The technical nature of this vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's codebase. When administrators or users with contributor-level permissions and above create or modify forms using the plugin's shortcode functionality, they can inject malicious JavaScript code through attributes that are not properly filtered. The vulnerability operates as a stored XSS attack because the malicious code is permanently saved within the plugin's data structures and persists until manually removed. This differs from reflected XSS attacks where malicious code must be injected with each request, making stored XSS particularly dangerous as it affects all users who view the compromised content.

From an operational perspective, this vulnerability creates a severe risk for WordPress websites using the Metform plugin, as it allows attackers to execute arbitrary scripts in the browsers of unsuspecting users. The privilege requirement of contributor-level access or higher means that attackers typically need to have gained access to a user account with these permissions, which could occur through various attack vectors such as credential theft, social engineering, or exploitation of other vulnerabilities. Once exploited, the malicious scripts can perform a wide range of harmful actions including stealing user sessions, redirecting visitors to malicious sites, defacing content, or even installing additional malware. The impact extends beyond individual user sessions to potentially compromise entire websites and their associated data.

The vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications, and demonstrates the critical importance of proper input sanitization and output escaping in web applications. From an ATT&CK framework perspective, this vulnerability maps to techniques involving command and control communications and privilege escalation, as attackers can use the stored XSS to establish persistent access or expand their control over affected systems. Organizations should immediately update to the latest version of the Metform Elementor Contact Form Builder plugin to remediate this vulnerability, while also implementing additional security measures such as input validation at multiple layers, regular security audits, and monitoring for suspicious user activities. The vulnerability serves as a reminder of the importance of keeping all WordPress plugins updated and maintaining robust security practices to prevent exploitation of known weaknesses.

Responsible

Wordfence

Reservation

02/16/2024

Disclosure

03/13/2024

Moderation

accepted

CPE

ready

EPSS

0.00501

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!