CVE-2023-0710 in Metform Elementor Contact Form Builder Plugin情報

要約

〜によって MITRE • 2023年06月09日

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'fname' attribute of the 'mf_thankyou' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database. Additionally this requires successful payment, increasing the complexity.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

責任者

Wordfence

予約する

2023年02月07日

モデレーション

承諾済み

エントリ

VDB-231126

EPSS

0.00389

アクティビティ

非常低い

セクター

Hostingprovider

ソース

Want to know what is going to be exploited?

We predict KEV entries!